Bringing your own certificate

This procedure describes how to apply your own certificates signed by approved third-parties. This is achieved by running the Manage_SSL_BYO script on the Control-M/EM Server, and then running the script that was generated in the deployment directories, on the relevant components' installations.

NOTE: To update the Control-M/EM certificate, see Certificates.

The certificate that you apply must be a valid X509 certificate.

The following components are supported:

• Control-M Agent
• Control-M Server
• Control-M Enterprise Manager Servers
• Control-M for Web Services, Java and Messaging
• Control-M Web
• Control-M Enterprise Manager API
• Control-M zOS

Before you begin

You must already have one or all of the following: the signed certificate, its private key, and its CA chain in one of the following formats:

• PEM (Privacy Enhanced Mail) files for each of the following: Certificate, Private Key, and Trusted Root CAs
• PKCS#12 file with the Certificate, private key, and CAs. If the PKCS#12 contains multiple certificates and key pairs, then you must also have available the name of the pair to use.

  NOTE: All components must be signed using the same CA Certificate. Private key passwords must exist for PKCS#12 and PEM, however the Certificate PEM must not to be locked/protected by password.

To apply the certificates:

1. Create a temporary folder in the root directory of the computer where the Control-M/EM resides.
2. In the directories of the deployed components, add the scripts to import your SSL certificates and keys. See Examples of script usage when importing certificates and keys.