Generating your own certificate

This procedure describes how to generate your own certificate using a BMC provided script. The script Manage_SSL_Generate_CSR.bat /.sh is installed on the Control-M/EM Server computer and generates a KEYPAIR and a certificate signing request (CSR).

To generate your own certificate:

1. Generate the RSA private key store file as a PEM file in the work area, as follows:

   Manage_SSL_Generate_CSR.bat/.sh -workarea <workarea path> –genkey [–keysize <size>] –password <password>

   Where:

   • -genkey generates the key pair phase.
   • -keysize is 2048 or 4096. Default: 2048
   • -password is the password of the private key.

   EXAMPLE:Manage_SSL_Generate_CSR.bat –workarea /tmp/agent1 –genkey –password secret

2. Generate the CSR, as follows:

   Manage_SSL_Generate_CSR.bat/.sh -workarea c:\temp\jj –gencsr –subj <text> | -subj_in_workarea -password secret

   Where:

   • -gencsr generates the CSR phase.
   • –subj is the X509 Subject and it must be formatted as /type0=value0/type1=value1/type2=... Characters may be escaped by \ (backslash) and no spaces are skipped.

   EXAMPLE: "/C=US/ST=Texas/L=Houston/O=BMC Software Inc/OU=Workload Automation/CN=cn/emailAddress=cn@company"

   • -subj_in_workarea indicates that that the –subj parameter input is in the work area already.

   The request.csr file that contains the CSR is now created in the work area.

3. Send the CSR to your Certificate Authority (CA) or your Information Security group (Infosec).
4. Request from your CA or Infosec the following files and copy them to the work area:
   • ssl certificate <ssl certificate>.pem
   • CA certificate .pem (CA certificate chain)
5. Run the Manage_SSL_BYO script to generate a deployment directory for the certificate and private key, as described in Bringing your own certificate.