Creating Certificates

Certificate creation

This section describes the steps to create certificates required for secure communication. These certificates are for secure communication between:

  • ESA and the RPP.
  • RPP and the protector.
  • KMSProxy and the protector.
  • REST protector and the curl client.

To download the installation package:

  1. Navigate to the directory where you have extracted the installation package.

  2. Navigate to the certs directory. The following files are available:

    • CertificatesSetup_Linux_x64_<Version>tgz - Download the certificates from the ESA. You can use them as the common certificates in the dynamic deployment between the RPProxy and the ESA, and between the RPProxy and the protector. You can also use these certificates separately as the upstream certificate between the ESA and RPProxy in the dynamic deployment.
    • CreateCertificate_Linux_x64_<Version>.tgz - Generate self-signed client and server certificates. In the Dynamic method, these certificates are used for communication between RPProxy and the protector, and the REST protector and the curl client. In the Static policy method, these certificates are used for communication between KMSProxy and the protector, and the REST protector and the curl client. Customers can choose to use their own certificates.

  3. Extract both the packages using the following command.

    tar -xvf CertificatesSetup_Linux_x64_<Version>.tgz
tar -xvf CreateCertificate_Linux_x64_<Version>.tgz

    The following files are extracted:

    • CertificatesSetup_Linux_x64_<Version>.sh
    • CreateCertificate_Linux_x64_<Version>.sh

Certificates for communication between the ESA and the RPP

  1. Run the following command to create ESA certificates for establishing a secure communication between the ESA and the RPP.
./CertificatesSetup_Linux_x64_<Version>.sh (-u <username> -p <password>) [-h <hostname>] [--port <port>] [-d <directory>]

Options:
  -u      User with the Export Certificates role
  -p      Password for user with the Export Certificates role
  -h      Host or IP address of the ESA
  --port  Port number of the ESA
  -d      local directory where certificates are stored

For more information about the command, use the –help parameter as shown in the following command.

./CertificatesSetup_Linux_x64_<Version>.sh --help

The output displays all the options that can be used with the command. It also provides usage examples.

Certificates for client and server communication between RPP and Protector, and KMS-Proxy and Protector

  1. Run the following command to create server-side certificates.
./CreateCertificate_Linux_x64_<Version>.sh (client | server ) --name <common name> [--dir <directory> ] [--dns <dnsname>] [--ip <ip address>] 

Options:
  client        Generate client certificate
  server        Generate server certificate
  --name        Certificate common name.
  --dns         Specify domain names. To specify multiple DNS names, repeat the --dns flag.
  --ip          Specify IP addresses. To specify multiple IP address, repeat the --ip flag.
  --noenc       The certificate key file is not encrypted. No secret.txt file created.
  --dir         Output base directory for certificates.
  --print       Prints OpenSSL configuration files used to generate certificates.
  --help        Print help message.

This command is used to create the certificates for both the Dynamic and Static-based deployments.

For more information about the command, use the –help parameter as shown in the following command.

./CreateCertificate_Linux_x64_<Version>.sh --help

The output displays all the options that can be used with the command. It also provides usage examples.


Last modified : January 18, 2026