OpenText product name changes coming to the community soon! Learn more.

Wikis - Page

How to issue certificates with Subject Alternative Name for NNMi?

3 Likes

Question

 

How to issue certificates with Subject Alternative Name (SAN) for NNMi?

 

Answer

 

With the changing world of security and cryptography, many browsers will require from server certificates to contain Subject Alternative Name (SAN) parameter.

This is especially valid for Google Chrome browser, as it enforces this requirement on any certificate used by the servers. 

Many valid certificates can still report below error in web browser: 

san.png

When CA certificates are required for NNMi, the below operation can be used to generate new key-pair and add SAN parameter for the self-signed certificate and for the certificate-signing request. 

The described commands, should serves as addition to the already established guide in official docs for NNMi.

 

- Generate new key-pair containing SAN parameter:

1. Remove nnm-key.p12 from 

Windows: %NNMDataDir%\shared\nnm\certificates

Unix: /var/opt/OV/shared/nnm/certificates/

2. Run below command to generate new key-pair and nnm-key.p12 file, that contains SAN values.

Windows:

%NNMInstallDir%\bin\nnmkeytool.ovpl -genkeypair -validity 3650 -keyalg rsa -keystore %NNMDataDir%\shared\nnm\certificates\nnm-key.p12 -storetype PKCS12 -ext san=dns:host1.domain.org,dns:host2.domain.org -storepass nnmkeypass -alias <alias>

Unix:

/opt/OV/bin/nnmkeytool.ovpl -genkeypair -validity 3650 -keyalg rsa -keystore /var/opt/OV/shared/nnm/certificates/nnm-key.p12 -storetype PKCS12 -ext san=dns:host1.domain.org,dns:host2.domain.org -storepass nnmkeypass -alias <alias>

It will be good idea to use server FQDN as alias.

When viewing the newly generated self-signed certificate, the below information should be present: 

san2.PNG

 

- Generate CSR (Certificate Signing Request) containing SAN parameter:

1. Run below command:

Windows:

%NNMInstallDir%\bin\nnmkeytool.ovpl -certreq -keystore %NNMDataDir%\shared\nnm\certificates\nnm-key.p12 -storetype PKCS12 -storepass nnmkeypass -alias <alias> -file <file.csr> -ext san=dns:host1.domain.org,dns:host2.domain.org

Unix:

/opt/OV/bin/nnmkeytool.ovpl -certreq -keystore /var/opt/OV/shared/nnm/certificates/nnm-key.p12 -storetype PKCS12 -storepass nnmkeypass -alias <alias> -file <file.csr> -ext san=dns:host1.domain.org,dns:host2.domain.org

Labels:

How To-Best Practice
Other
Support Tip
Comment List
Related
Recommended