Creating And Replacing Ssl Certificates; Creating A New Self-Signed Certificate - Novell ZENWORKS NETWORK ACCESS CONTROL 5.0 - 09-22-2008 User Manual

Non-Quarantine Networks: 10.241.90.0/25, 10.241.90.128/27, 10.241.90.192/26

16.16 Creating and Replacing SSL Certificates

The Secure Sockets Layer (SSL) protocol uses encryption by way of certificates to provide security
for data or information sent over HTTP.
Certificates are digitally signed statements that verify the authenticity of a server for security
purposes. They use two keys; one public key to encrypt information and one private key to decipher
that information.
keytool is a key and certificate management utility that allows you to create your own public and
private keys when you use self-authentication. These keys and certificates are stored in a keystore
file.
NOTE: All of the steps in these sections ("Creating a New Self-signed Certificate," and "Using an
SSL Certificate from a known Certificate Authority (CA)" in the users guide) should be performed
on the MS and each ES.
In order to avoid SSL certificate warnings in the browser when connecting to the Novell ZENworks
Network Access Control server (either as a Novell ZENworks Network Access Control user
interface user, or from a redirected endpoint) you will need to install SSL certificates that have been
signed by a Certificate Authority (CA) recognized by the browser, such as Thawte, Verisign, or your
organization's own local SSL CA. To install certificates, follow the steps below for the MS and each
ES. (Once is sufficient for single-server installations.) Start by removing your existing keystore and
generating a new self-signed certificate as described in
signed Certificate," on page
Once you've generated a self-signed certificate with the fully-qualified Domain Name of your
server, continue with the instructions for
Certificate Authority (CA)," on page

16.16.1 Creating a New Self-signed Certificate

To generate a private keystore containing a new private key/public certificate pair:
Command line window
1 Log in as root to the Novell ZENworks Network Access Control server via SSH or directly
using a keyboard.
2 Remove the existing keystore by entering the following at the command line:
rm -f /usr/local/nac/keystore/compliance.keystore
3 Enter the following at the command line:
keytool -genkey -keyalg RSA -alias <key_alias> -keystore /usr/local/nac/
keystore/compliance.keystore
Where:
<key_alias> is the name for the key within the keystore file
368 Novell ZENworks Network Access Control Users Guide
368, using compliance as the alias wherever a key alias is needed.
Section 16.16.2, "Using an SSL Certificate from a known
369.
Section 16.16.1, "Creating a New Self-