Install the root certificate into your OCAP SFG certificate database by using the command:

ocapsfg install -in {filename.cert} -selfsigned -base {directory}

Where {directory} is the location of your default OCAP SFG file structure, containing the OCAP.index file and related directories. {filename.cert} is the location of the certificate file which you are installing into the database. Note that the filename must end with .cert, so if the certificates are named with a .pem postfix, you will need to rename them as filename.pem.cert.

ocapsfg install -in {filename.cert} -base {directory} -purpose mhp_ca

ocapsfg install -in {filename.cert} -base {directory} -purpose mhp_sign

Note that you need to add certificates nearest to the root certificate first, and work down to the leaf certificate last. The default "purpose" is mhp_sign.

You can view the content of a certificate by using the following command:

ocapsfg x509 -text -in {filename.cert}

Sign application:

ocapsfg sign -certfile {filename.cert} -keyfile {your.key} -sigdir {root} -xmlcred {sigfile.xml} -base {dir}

Where: {filename.cer} is the path name of your leaf certificate, {your.key} is your private key, {root} is the root of the OCAP application directory structure, {sigfile.xml} is the signature control file and {dir} is the directory containing the OCAP SFG default file structure. Note that if CableLabs has assigned you a private key with a pass phrase (which is most likely) you will be prompted to enter that after executing the above command.

or if you are using a config file:

ocapsfg sign -config {config.xml} -sigdir {dir} -xmlcred {sigfile.xml}

Checking a signature: ocapsfg sign -check -sigdir root -suffix 1

Where -suffix denotes the suffix number of the ocap.certificates and ocap.signaturefile files.