Importing a certificate chain or intermediate certificates
When you try to import a certificate that you received from your Certificate Authority (CA) and you receive an error message telling you that the certificate is not trusted, intermediate certificates from the certificate chain are missing. You must get the complete chain of certificates or all the intermediate certificates from your CA.
Importing a certificate chain
If you receive a certificate chain in a single file, the file name must be in PKCS12 format.
To import a certificate chain
- On the BMC Atrium SSO Admin Console, click Edit Server Configuration. The Server Configuration Editor is displayed.
On the Certificates tab, select the Certificate Store for which you want to import a CSR. The options are: KeyStore, TrustStore, SAMLv2 KeyStore, and Session KeyStore.
Select KeyStore option from the list.
Click Import. The Upload Certificate dialog box is displayed.You can upload the certificate by using one of the following options:
PEM Encoded Certificate—Open and copy the contents of the chained certificate file and paste it into the PEM Encoded Certificate option in the Upload Certificate dialog box.
- DER/PEM/PKCS12 Encoded File—To import a chain of certificates, upload the PKCS#12 file that you received from your CA. When you select the PKCS12 file, an additional password field is provided, allowing you to enter the password for the KeyStore.
Click Upload. After the file is uploaded, the Import Certificate Editor is displayed. This editor displays all the information about the uploaded certificate, along with the chained hierarchy of the certificates in the Import Certificate Editor.
Enter the alias for the certificate.
- Click OK to close the Import Certificate Editor.
- Click Save to close the Server Configuration Editor.
- Stop and restart the BMC Atrium Single Sign-On server.
Importing intermediate certificates
If the complete chain is not available as a single file, you must get the intermediate CA certificates leading to the root, and then import them.
To get the intermediate certificates
- From the command prompt, change your working directory to:
Print the signed certificate:
keytool -printcert -file <cert_name>.cer
- From the print command output, find out the issuer of the certificate .
- Get the Issuer certificate from your CA and give a certificate file name.
- Repeat step 1-4 until you get a certificate where both the owner and issuer are same. Each time, use the latest issuer certificate that you received from CA.
To import the intermediate certificates
After you have all the intermediate certificates, you must import them and the root certificate into the KeyStore. For more information, see Importing a certificate into the keystore.
- You must import the root certificate first, followed by the intermediate certificates.
- You must provide a unique alias for each certificate.
After importing all the intermediate certificates in the KeyStore, your certificate will be considered trusted.