C.3.1 Registering Server Certificates and CA Certificates

This section explains how to register the certificates necessary when using an SSL accelerator of the server load balancer function.

The tenant user prepares a certificate based on the business system to configure, and the infrastructure administrator registers this certificate in the NS Appliance.

Figure C.1 Flow of Registration of Server Certificates and CA Certificates

This section explains how to register a certificate in an NS appliance.

Registering CA Certificates

In general, registration of CA certificates (including intermediate CA certificates) is not necessary.
Registration of CA certificates is necessary when it is requested by a tenant administrator or tenant user and when the server certificate issued by a CA for which the CA certificate has not been registered on the client side is used.
The procedure for registering a CA certificate is as follows.

Check if a CA certificate is already registered in the NS appliance.
Log in to the NS appliance, and execute the following command:
```
admin
password: Administrator Password
show cert ca-certificate all
```
Administrator Password
Enter the administrator password specified in the "2.2.3.3 Network Configuration Information Files" which was created during installation of NS Appliance.
CA certificates registered in the NS Appliance are displayed. Confirm that valid CA certificates have been registered, based on the following items:
Item
Description
Issuser
The issuer information of the CA certificate
Subject
The owner information of the CA certificate
Validity
The expiration date of the CA certificate
When no CA certificate is registered, register the CA certificate using the procedure after step 2.
If one is already registered, registration is not required.
Store the CA certificate in the NS appliance.
Store the certificate in the NS appliance, by transferring an FTP server file to the NS appliance.
Store the certificate on the FTP server in advance.
Execute the following command:
```
copy src_uri [ username name [ password password ] ] [ dst_filename ]
```
src_uri
Specify the certificate on the FTP server as the copy source, in order to copy it to the NS appliance.
```
ftp://IPv4 address of the FTP server/directory/filename
```
name
Specify the login ID for the FTP server using a character string containing between 1 and 64 characters.
password
Specify the password for the login ID for the FTP server using a character string containing between 1 and 64 characters.
dst_filename
Specify the file name as "ca-cert.incom.pem".
Register the CA certificate in the NS appliance.
Execute the following command:
```
cert entry peer-ca-certificate ca-certificate-group-entry-num
```
ca-certificate-group-entry-num
Configure the CA certificate number. This number is the number of the peer and the certificate of its own device.
A value between 1 and 2048 can be specified.
0 has a specific meaning, and certificates from other CA authorities cannot be registered, as the number is allocated to the certificate created by Resource Orchestrator. Also, the numbers between 1 and 18 are registered for the CA certificates of Symantec Website Security (formerly VeriSign) installed by default, so use another number.

Item	Description
Issuser	The issuer information of the CA certificate
Subject	The owner information of the CA certificate
Validity	The expiration date of the CA certificate

Registering Server Certificates

Store the server certificate in the NS appliance.
Store the certificate in the NS appliance, by transferring an FTP server file to the NS appliance.
Store the certificate on the FTP server in advance.
Execute the following command:
```
copy src_uri [ username name [ password password ] ] [ dst_filename ]
```
src_uri
Specify the certificate on the FTP server as the copy source, in order to copy it to the NS appliance.
```
ftp://IPv4 address of the FTP server/directory/filename
```
name
Specify the login ID for the FTP server using a character string containing between 1 and 64 characters.
password
Specify the password for the login ID for the FTP server using a character string containing between 1 and 64 characters.
dst_filename
Specify the file name as "certXXX.imp.pkcs12".
XXX
Entry number
Register the server certificate in the NS appliance.
Execute the following command:
```
cert pkcs12-import certificate-entry-num password password
```
certificate-entry-num
Configure the server certificate and the registration number of the secret key.
A value between 1 and 256 can be specified.
password
Specify a password using a character string containing up to 20 characters with alphanumeric characters and the symbols "!"#$%&()=~|-^\@[;:]/.,{`}*+_?><" in order to use the PKCS#12 file.
Execute the rcxnetworkservice certctl command.
```
rcxnetworkservice crtctl -name name -sync
```
name
Specify the NS appliance device name.

Execute this command when using simple configuration mode.
For details on this command, refer to "A.1 rcxnetworkservice".
Notify the Tenant Administrator and tenant users of the completion of registration.