Step 1: How to Issue a New Certificate Using Your Own CA

The specific actions you take to issue a new sub-authority certificate depends on your environment.

Option A: If your CA is accessible over your network

  1. Close Security Controls.
  2. Use your local system facilities to issue the new certificate from your CA.
    Make sure the certificate meets all of the requirements.
  3. Save the new certificate to the console machine's Intermediate Certification Authorities store.
  4. On the console, open an administrator command prompt window and change to the Security Controls installation directory.
    The default installation directory is: C:\Program Files\Ivanti\Security Controls.
  5. Using the STMgmt command-line tool, issue the select_subauthority -thumbprint <thumbprint> command to specify that the new certificate should act as the sub-authority certificate.

    6. Example: stmgmt.exe -select_subauthority -thumbprint 3e656d7ca744c131c2daba3e4fb4e8731784824e

    Be sure to include the -thumbprint argument, which indicates to Security Controls that it should use the certificate as the sub-authority certificate. One method for getting the thumbprint is to:

    1. Copy the thumbprint from the new certificate into an application such as Notepad.
    2. Remove any spaces and special characters.
    3. Save the file in an ANSI-encoded format.
    4. Paste the thumbprint character from the Notepad file into the select_subauthority command.

    For information on using STMgmt, type the following from an administrator command prompt on the console machine:

    C:\Program Files\Ivanti\Security Controls>stmgmt

  6. See Let the Certificate Percolate Through the System for information on whether you need to wait 30 days before committing to the new certificate.

Option B: If your CA is not accessible over your network (the CA is offline or in a disconnected network)

  1. On the console, open an administrator command prompt window and go to the Security Controls installation directory.
    The default installation directory is C:\Program Files\Ivanti\Security Controls.
  2. Using the STMgmt command-line tool, issue a request_subauthority -of <requestfile> command to create a sub-authority certificate request.

    3. Example: stmgmt.exe -request_subauthority -of samplerequestfilename.req

    This is the request to issue the new Security Controls sub-authority certificate. It creates all the information necessary for a CA to issue a certificate and save it to a file. This file is a PKCS10 certificate request in binary format and it will be used to generate the certificate on the CA. You may need to convert this file to be Base64-encoded depending on your CA.

  3. Transport the file to the CA.
  4. Have your CA issue the new sub-authority certificate and save it to a file.
    Make sure the certificate meets all of the requirements.
  5. Transport the file to the console machine and save it to a local directory.
  6. Using the STMgmt command-line tool, issue an accept_subauthority -if <issuedcert> command.

    7. Example: stmgmt.exe -accept_subauthority -if sampleresponsefilename.cer

    This command does several things. It:

    • Accepts the new certificate that was generated from the trusted CA
    • Binds it back to the private key on the console
    • Specifies that Security Controls should use the certificate as the sub-authority certificate
    • Manages the installation of the new certificate
  7. See Let the Certificate Percolate Through the System for information on whether you need to wait 30 days before committing to the new certficate.