Table of Contents:
-
Background
-
Procedure
-
Related documentation
-
Related solutions
Background
The ICA Management Tool is a user-friendly tool that allows an administrator to perform multiple operations on and for the Internal Certificate Authority (ICA), such as:
- Certificate management and searches
- CRL recreation and download
- ICA configuration
- ICA cleanup resulting in the removal of expired certificates
The ICA Management Tool runs on Security Management Server / Multi-Domain Security Management Server.
Procedure
- Connect to command line on the Security Management Server / Multi-Domain Security Management Server.
- Log in to Expert mode.
-
Check the status of the ICA Management Tool:
The first line of the output will be:
- Management tool is OFF - no need to take any further steps
- Management tool is ON - proceed to the next step
-
The following configuration is recommended for ICA Management Tool:
- Allow access to ICA Management Tool only via secured networks.
-
Make sure ICA Management Tool is running using the SSL authentication (this is the default):
Check the current authentication:
[Expert@HostName]# cpca_client set_mgmt_tool print
The second line of the output will be:
- Using SSL - no need to take any further steps
- Not using SSL - configure the tool to use SSL by running the command
cpca_client set_mgmt_tool on -no_ssl
-
Reduce amount of Administrators/Users and Hosts that have access to ICA Management Tool to the required minimum.
Check the current list of Administrators/Users:
[Expert@HostName]# cpca_client set_mgmt_tool print
Look at the following sections:
The authorized administrators:
The authorized users:
The authorized custom users:
To remove an administrator, run:
cpca_client set_mgmt_tool remove -a Administrator_DN
To remove all the users, run:
cpca_client set_mgmt_tool clean
-
If ICA Management Tool is currently enabled (ON), but is not needed, then perform one of the following:
-
Either disable ICA Management Tool:
-
Or make sure that certificate used to authenticate to the ICA Management Tool uses "strong private key protection".
Follow these steps to import certificate with use of "strong private key protection":
Reference: Import or export certificates and private keys - click on "To import a certificate and private key
".
-
Go to Start menu - click on "Run...
" / click in "Search
" field - type/paste certmgr.msc - press Enter
Administrator permission required. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
-
Click on "Trusted Publishers
" to select it - go to 'Action
' menu - go to 'All Tasks
' - click on 'Import
':
-
Click 'Next
', and then follow the instructions.
Important Note: On the "Password
" sceen, make sure to check this box:
"Enable strong private key protection. You will be prompted every time the private key is used by an application if you enable this option.
"

- Security Management Server Administration Guide (R77, R80.10, R80.20) - Chapter 'The Internal Certificate Authority'.