Can the Root CA private key be removed from the IGEL UMS after the signed client certificate is created?


Hi All, We preparing to install ICG and have a question about Cert for ICG. We planned to go with Creating certificates from an Existing Root Certificate. It involves using Root CA private key from CA certificate to create a signed client certificate. Can the Root CA private key be removed from the UMS after the signed client certificate is created? There may be some concerns having the Root CA private key left on a DMZ server, if it can’t be deleted.


I don’t fully have an answer for you as that is a bit outside my wheelhouse. However, I do have a question. Are you saying your UMS server is in the DMZ?


UMS is in LAN and ICG is in DMZ. ICG will be installed via Remote installer.


You generate a privaze key for your ICG server and create da Signing Request (CSR) from it. With the CSR you can create the certificate on your CA server. Than you import the generated private key and the new certificate into your UMS – you alos need to import the certificates of your CA and (if used) intermediate CA – no need to import a private key from a CA. It is the same as if you use a public CA – you only get their certificate chain and no private key from them.


Then, you don’t have to worry, the ROOT CA and the according key will never leave your LAN, both stays in your UMS. They are needed there for issuing and verifying.

Continue reading and comment on the thread ‘Can the Root CA private key be removed from the IGEL UMS after the signed client certificate is created?’.  Not a member? Join Here!

Learn more, search the IGEL Knowledge Base



Ask a question or comment on the above messasge thread?

Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.

Submit a question, or Join Today!


Popular Message Threads


Categories & Tags: