Filter
Top Products
Using Enhanced Security Features
272 EncrypTight User Guide
Working with Certificates for EncrypTight and
the ETKMSs
For both the workstation running the EncrypTight software and the ETKMS, use the keytool utility to
request and install certificates. The keytool utility is a Java-based utility for key and certificate
management. A complete discussion of using the keytool utility is beyond the scope of this guide. You
can find additional information on the Internet.
On each EncrypTight component, encryption keys and certificates are stored in the keystore. The location
of the keytool utility and the keystore depends on the component with which you are working.
● On the management workstation, keytool is located in <installDir>\jre\bin where
<installDir> is the directory where you installed the EncrypTight software. By default, keys are
stored in the keystore located in the
<installDir>\cvConfig\keys directory.
● On the ETKMS, keytool is located in /usr/java/latest/bin/keytool and the keystore is located
in
/opt/etkms/keys.
You need to follow the procedures in this section for both the management workstation and the ETKMS.
Before proceeding, you should change the default password for the keystore (see “Changing the Keystore
Password” on page 266). If your organization uses the certificate policies extension for certificates, you
also need to specify what values are valid for this extension on each device (see “Configuring the
Certificate Policies Extension” on page 269).
If you plan to use a CA certificate as an external certificate for validation, obtain a copy of the CA
certificate before you begin. You will receive a .PEM or .DER file that you can import into the keystore
on the devices with which you work.
NOTE
If your ETKMS includes an HSM, skip this section and follow the instructions in “Working with Certificates
and an HSM” on page 275 to generate requests and install certificates.
This section includes the following topics:
● “Generating a Key Pair” on page 272
● “Requesting a Certificate” on page 273
● “Importing a CA Certificate” on page 274
● “Importing a CA Certificate Reply” on page 274
● “Exporting a Certificate” on page 275
Generating a Key Pair
To request a certificate from a CA, you must first generate a public/private key pair. This procedure
essentially creates a self-signed certificate and places it in the keystore.