Agent CertificatesChapter 8 Authorization 337ImportantAfter you submit the initial Administrative Enrollment form and the certificate isissued, the form is no longer available from the administration port. If somethinggoes wrong and you are unable to obtain the administrator/agent certificate, youmust reset a parameter in the configuration file to make the initial administrativeenrollment form available again.To reset the Administrative Enrollment form:1. Stop the server instance.2. Go to the following directory:/cert-/config3. Open the file CMS.cfg in a text editor.4. Change the value of the following parameter from false to true:cmsgateway.enableAdminEnroll=false5. Save the file.6. Start the server instance.7. The next time you access the administration port, the Administrator/AgentCertificate Enrollment form will be available again.Getting an Agent’s Certificate from a Public CAThe following general guidelines explain how a user can get a client certificatefrom a public CA and how you can copy that certificate (in base-64 encoded form)to the internal database of the appropriate subsystem:1. Have the user send a client certificate request to a public CA from thecomputer they will use to access the subsystem from the Agent Servicesinterface. It is important that they generate and submit this request from thecomputer they will use later to access the subsystem, because part of thisrequest process generates a private key on the local machine. Alternatively, iflocation independence is required, they can use a hardware token, such as asmart card, to generate and store the key pair (and the certificate when theyreceive it from the public CA).2. When they receive the certificate from the public CA, have them import thecertificate into the web browser used to access the subsystem. It is a good ideato ask the user to inform you that the certificate has been installed.