Patch for Windows® Servers, powered by Shavlik

> Administration > Utilities > Generating a Certificate from a 3rd Party CA > How to Issue a New Certificate Using Your Own CA

Step 1: How to Issue a New Certificate Using Your Own CA

The specific actions you take to issue a new sub-authority certificate depends on your environment.

Option A: If your CA is accessible over your network

1Close Ivanti Patch for Windows® Servers.

2.Use your local system facilities to issue the new certificate from your CA.

Make sure the certificate meets all of the requirements.

3.Save the new certificate to the console machine's Intermediate Certification Authorities store.

4.On the console, open an administrator command prompt window and change to the Ivanti Patch for Windows® Servers installation directory.

The default installation directory is: C:\Program Files\LANDESK\Shavlik Protect.

5.Using the STMgmt command-line tool, issue the select_subauthority -thumbprint <thumbprint> command to specify that the new certificate should act as the sub-authority certificate.

Example: stmgmt.exe -select_subauthority -thumbprint 3e656d7ca744c131c2daba3e4fb4e8731784824e

Be sure to include the -thumbprint argument, which indicates to Ivanti Patch for Windows® Servers that it should use the certificate as the sub-authority certificate. One method for getting the thumbprint is to:

(a) Copy the thumbprint from the new certificate into an application such as Notepad.

(b) Remove any spaces and special characters.

(c) Save the file in an ANSI-encoded format.

(d) Paste the thumbprint character from the Notepad file into the select_subauthority command.

For information on using STMgmt, type the following from an administrator command prompt on the console machine:

C:\Program Files\LANDESK\Shavlik Protect>stmgmt

6.See Let the Certificate Percolate Through the System for information on whether you need to wait 30 days before committing to the new certficate.

Option B: If your CA is not accessible over your network (the CA is offline or in a disconnected network)

1On the console, open an administrator command prompt window and go to the Ivanti Patch for Windows® Servers installation directory.

The default installation directory is C:\Program Files\LANDESK\Shavlik Protect.

2.Using the STMgmt command-line tool, issue a request_subauthority -of <requestfile> command to create a sub-authority certificate request.

Example: stmgmt.exe -request_subauthority -of samplerequestfilename.req

This is the request to issue the new Ivanti Patch for Windows® Servers sub-authority certificate. It creates all the information necessary for a CA to issue a certificate and save it to a file. This file is a PKCS10 certificate request and it will be used to generate the certificate on the CA.

3.Transport the file to the CA.

4.Have your CA issue the new sub-authority certificate and save it to a file.

Make sure the certificate meets all of the requirements.

5.Transport the file to the console machine and save it to a local directory.

6.Using the STMgmt command-line tool, issue an accept_subauthority -if <issuedcert> command.

Example: stmgmt.exe -accept_subauthority -if sampleresponsefilename.cer

This command does several things. It:

Accepts the new certificate that was generated from the trusted CA

Binds it back to the private key on the console

Specifies that Ivanti Patch for Windows® Servers should use the certificate as the sub-authority certificate

Manages the installation of the new certificate

7.See Let the Certificate Percolate Through the System for information on whether you need to wait 30 days before committing to the new certficate.


Was this article useful?    

The topic was:

Inaccurate

Incomplete

Not what I expected

Other