To obtain CA-signed certificate for BMC Atrium Single Sign-On, you must generate a Certificate Signing Request (CSR).
To generate a CSR
- On the BMC Atrium SSO Admin Console, click Edit Server Configuration. The Server Configuration Editor is displayed.
On the Certificates tab, select the Certificate Store for which you want to generate a CSR.
You cannot create a CSR for certificates. You can create a CSR only for a key pair.
From the list of available key pairs, select a key pair and click CSR. The CSR is displayed in the following format:
-----BEGIN NEW CERTIFICATE REQUEST----- MIIBmDCCAQECAQAwWDEZMBcGA1UECxMQQXRyaXVtU1NPIFNlcnZlcjEVMBMGA1UEChMMQk1DIFNv ZnR3YXJlMSQwIgYDVQQDExtpQk1DLUpCSEJCSzEuYWRwcm9kLmJtYy5jb20wgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAJABuagV7e12Yu3m0LmNWEmVE4HXrdaB+uOyZFyKLZxO2e+WX3r9vc9q al5VQSE1yME6ml53B9sWS2RWA5d8xDPW8ppQe3dqQdf3QDDzfXQ18MmZAfraSbv6Y2Tj0Oad10Uf c8NUXYCvKNcmdHzkabaHuTOXuhfyGyzyCgFdd/jTAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQAx oNCBNvnbYNHD02QOIXEP4eMd9HlfJjvJHtAS6SyibMEd00mq/BD5iV1TewwkmvJRn1BjmzGXNO1c xbasQaHN9l0+HP4X6aWfRIJtq9GOj4d9Y2wb5L6SEsgnCtnvbHDsMR0AEBLPCR7nVJ4vgQsZ9xLj EfQB8idnyyimIfoqqQ== -----END NEW CERTIFICATE REQUEST-----
- Copy the CSR details and save to a local file with a .csr extension; for example, cert_signing.csr.
- Click OK to close the CSR.
You must send the saved CSR file to the CA for a digital signature.
The Common Name (CN) of the certificate cannot be modified, because the CN must match the host name of the server. If the names do not match, the browser issues a warning telling you that the server is trying to impersonate another site.
Importing the signed certificate
After a CSR is signed by a CA, follow the instructions for importing a certificate into KeyStore. Import the signing root CA and any intermediate signing certificates into the keystore. If certificate with the alias tomcat is already signed, the intermediate certificates are attached to the existing tomcat certificate.