Step 1: How to Issue a New Certificate Using Your Own CA
The specific actions you take to issue a new sub-authority certificate depends on your environment.
Option A: If your CA is accessible over your network
- Close Security Controls.
- Use your local system facilities to issue the new certificate from your CA.
Make sure the certificate meets all of the requirements. - Save the new certificate to the console machine's Intermediate Certification Authorities store.
- On the console, open an administrator command prompt window and change to the Security Controls installation directory.
The default installation directory is: C:\Program Files\Ivanti\Security Controls. - Using the STMgmt command-line tool, issue the select_subauthority -thumbprint <thumbprint> command to specify that the new certificate should act as the sub-authority certificate.
- Copy the thumbprint from the new certificate into an application such as Notepad.
- Remove any spaces and special characters.
- Save the file in an ANSI-encoded format.
- Paste the thumbprint character from the Notepad file into the select_subauthority command.
- See Let the Certificate Percolate Through the System for information on whether you need to wait 30 days before committing to the new certificate.
Example: stmgmt.exe -select_subauthority -thumbprint 3e656d7ca744c131c2daba3e4fb4e8731784824e
Be sure to include the -thumbprint argument, which indicates to Security Controls that it should use the certificate as the sub-authority certificate. One method for getting the thumbprint is to:
For information on using STMgmt, type the following from an administrator command prompt on the console machine:
C:\Program Files\Ivanti\Security Controls>stmgmt
Option B: If your CA is not accessible over your network (the CA is offline or in a disconnected network)
- On the console, open an administrator command prompt window and go to the Security Controls installation directory.
The default installation directory is C:\Program Files\Ivanti\Security Controls. - Using the STMgmt command-line tool, issue a request_subauthority -of <requestfile> command to create a sub-authority certificate request.
- Transport the file to the CA.
- Have your CA issue the new sub-authority certificate and save it to a file.
Make sure the certificate meets all of the requirements. - Transport the file to the console machine and save it to a local directory.
- Using the STMgmt command-line tool, issue an accept_subauthority -if <issuedcert> command.
- Accepts the new certificate that was generated from the trusted CA
- Binds it back to the private key on the console
- Specifies that Security Controls should use the certificate as the sub-authority certificate
- Manages the installation of the new certificate
- See Let the Certificate Percolate Through the System for information on whether you need to wait 30 days before committing to the new certficate.
Example: stmgmt.exe -request_subauthority -of samplerequestfilename.req
This is the request to issue the new Security Controls sub-authority certificate. It creates all the information necessary for a CA to issue a certificate and save it to a file. This file is a PKCS10 certificate request in binary format and it will be used to generate the certificate on the CA. You may need to convert this file to be Base64-encoded depending on your CA.
Example: stmgmt.exe -accept_subauthority -if sampleresponsefilename.cer
This command does several things. It: