Creating CA Certificate for Agentry

Create a CA certificate using OpenSSL.

To create a CA certificate, you must install OpenSSL. OpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1). You can download OpenSSL at:

http://www.openssl.org/

  1. From a machine where OpenSSL is installed, set the SSLEAY_CONFIG environment variable to tell CA.pl where openssl.cnf is located by typing at a command prompt: export SSLEAY_CONFIG="-config ./openssl.cfg"
  2. Generate the CA certificate and storage area by performing the following tasks:
    1. At the command prompt, type: ./CA.pl -newca
    2. Press Enter to retrieve the CA certificate file name.
    3. When prompted, enter a strong password for the new CA certificate's key.
    4. When prompted, enter the certificate details.
    5. The system will attempt to create the certificate with the newly-signed key (using the openssl.cnf configuration). At this point, enter the password you created in the above sub-step.
    6. The new cacert.pem file is located in: /etc/ssl/ca/cacert.pem

    The certificate that the script generated may not be marked as a CA certificate. If in the X509v3 Basic Constraints section, in the output, it states CA:FALSE, the certificate will need to be regenerated.

    Use the following command to regenerate the certificate:

    openssl ca $SSLEAY_CONFIG -extfile openssl.cnf -extensions v3_ca -out demoCA/cacert.pem -days 3650 -batch -keyfile demoCA/private/cakey.pem -selfsign -infiles demoCA/careq.pem
  3. At the command prompt, enter: ./CA.pl -newreq

    The certificate request files newkey.pem and a newreq.pem are generated.

  4. At the command prompt, enter: ./CA.pl -sign

    The certificate request is signed and newcert.pem is generated with the signed certificate.

  5. At the command prompt, enter: openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out <NewAgentryServer>.pfx where <NewAgentryServer> can be any unique name for the new PFX file.

    An example of a unique PFX file name is NewAgentryServer.pfx.

    The CA certificate is converted to a PFX file.

  6. Copy the PFX file into the directory where the Agentry Server is installed.
  7. From the SAP Control Center expand the Applications node and select the Agentry application. Then perform the following steps:
    1. Click the Configurations tab in the Administration pane and select the check box for ANGEL Front End.
    2. Change authenticationCertificateStore to the name of the new PFX file. Double-clicking the Value allow you to enter a new name.
    3. Change the authenticationCertificateStorePassword to the password you set in the file.
    4. Click [Apply] to commit the changes to the Server.
    5. Click [OK] to close the window.
  8. Create a copy of the cacert.pem file and rename it AgentryTrustedCertificates.sst.
  9. Copy the new AgentryTrustedCertificates.sst to the Agentry Client installation folder to replace the original AgentryTrustedCertificates.sst file installed with the Client.
  10. Open the AgentryTrustedCertificates.sst file with a text editor. Delete everything before the following line: "-----BEGIN CERTIFICATE-----"
  11. Save and close the file.
  12. Restart the Server and the Client.
  13. Log in to the Server using the Client.
Parent topic: Authentication Certificates