Skip to main content

Client Certificate Management

This topic provides information about client certificate management.

Client certificates are classified as one of the following:
  • An IMM2 self-assigned certificate
  • A certificate generated from an IMM2 CSR and signed (externally) by a third party CA.
A client certificate is required for communication with the SKLM server. The client certificate contains digital signatures for the CA and the IMM2.
Note
  • Certificates must be preserved across firmware updates.
  • If a client certificate is not created for communication with the SKLM server, the IMM2 HTTPS server certificate is used.
  • The function of the CA is to verify the identity of the IMM2.
To create a client certificate locate the Client Certificate Status section on the Drive Access page. Under the Actions menu of the Client Certificate Status section, select one of the following items:
  • Generate a New Key and a Self-Signed Certificate
  • Generate a New Key and a Certificate Signing Request (CSR)
The Generate a New Key and a Self-Signed Certificate action item generates a new encryption key and a self-signed certificate. In the Generate New Key and Self-Signed Certificate window, type or select the information in the required fields and any optional fields that apply to your configuration, (see the following table). Click Ok, to generate your encryption key and certificate. A progress window displays while the self-signed certificate is being generated. A confirmation window is displayed when the certificate is successfully installed.
Note
The new encryption key and certificate replace any existing key and certificate.
Table 1. Generate a New Key and a Self-Signed Certificate.

Two column table with headers documenting the required and optional fields for the Generate a new key and a self-signed certificate action. The bottom row spans across both columns.

FieldDescription
Country1From the list item, select the country where the IMM2 physically resides.
State or Providence1Type the state or providence where the IMM2 physically resides.
City or Locality1Type the city or locality where the IMM2 physically resides.
Organization Name1Type the company or organization name that owns the IMM2.
IMM2 Host Name1Type the IMM2 host name that appears in the web address bar.
Contact PersonType the name of the contact person that is responsible for the IMM2.
Email addressType the email address of the contact person responsible for the IMM2.
Organization UnitType the unit within the company that owns the IMM2.
SurnameType the surname of the person responsible for the IMM2. This field can contain a maximum of 60 characters.
Given NameType the given name of the person responsible for the IMM2. This field can contain a maximum of 60 characters.
InitialsType the initials of the person responsible for the IMM2. This field can contain a maximum of 20 characters.
DN QualifierType the Distinguished Name Qualifier for the IMM2. This field can contain a maximum of 60 characters.
  1. This is a required field.

After the client certificate has been generated you can download the certificate to storage on your IMM2 by selecting the Download Certificate action item.

The Generate a New Key and a Certificate Signing Request (CSR) action item generates a new encryption key and a CSR. In the Generate a New Key and a Certificate Signing Request window, type or select the information in the required fields and any optional fields that apply to your configuration, (see the following table). Click Ok, to generate your new encryption key and CSR.

A progress window displays while the CSR is being generated and a confirmation window is displayed upon successful completion. After generation of the CSR you must send the CSR to a CA for digital signing. Select the Download Certificate Signing Request (CSR) action item and click Ok to save the CSR to your server. You can then submit the CSR to your CA for signing.

Table 2. Generate a New Key and a Certificate Signing Request.

Two column table with headers documenting the required and optional fields for the Generate a new key and certificate signing request action. The bottom row spans across both columns.

FieldDescription
Country1From the list item, select the country where the IMM2 physically resides.
State or Providence1Type the state or providence where the IMM2 physically resides.
City or Locality1Type the city or locality where the IMM2 physically resides.
Organization Name1Type the company or organization name that owns the IMM2.
IMM2 Host Name1Type the IMM2 host name that appears in the web address bar.
Contact PersonType the name of the contact person that is responsible for the IMM2.
Email addressType the email address of the contact person responsible for the IMM2.
Organization UnitType the unit within the company that owns the IMM2.
SurnameType the surname of the person responsible for the IMM2. This field can contain a maximum of 60 characters.
Given NameType the given name of the person responsible for the IMM2. This field can contain a maximum of 60 characters.
InitialsType the initials of the person responsible for the IMM2. This field can contain a maximum of 20 characters.
DN QualifierType the Distinguished Name Qualifier for the IMM2. This field can contain a maximum of 60 characters.
Challenge PasswordType the password to the CSR. This field can contain a maximum of 30 characters.
Unstructured NameType additional information, such as an unstructured name that is assigned to the IMM2. This field can contain a maximum of 60 characters.
  1. This is a required field.

The CSR is digitally signed by the CA using the user's certificate processing tool, such as the OpenSSL or Certutil command line tool. All client certificates that are signed using the user's certificate processing tool have the same base certificate. This base certificate must also be imported to the SKLM server so that all servers digitally signed by the user are accepted by the SKLM server.

After the certificate has been signed by the CA you must import it into the IMM2. Select the Import a Signed Certificate action item and select the file to upload as the client certificate; then, click the Ok button. A Progress window displays while the CA-signed certificate is being uploaded. A Certificate Upload window is displayed if the upload process is successful. A Certificate Upload Error window is displayed if the upload process is not successful.
Note
  • For increased security use a certificate that is digitally signed by a CA.
  • The certificate that is imported into the IMM2 must correspond to the CSR that was previously generated.

After a CA-signed certificate is imported into the IMM2, select the Download Certificate action item. When you select this action item, the CA-signed certificate is downloaded to storage on your IMM2.