Importing a certificate into the keystore
After generating a new certificate and getting it signed by a Certificate Authority (CA), you must import the certificate into the keystore. The certificate must be in
- Printable DER format (file extension .pem)
- Binary DER format (file extensions .cer, .crt, or .der)
- PKCS#12 format.
You can now import the complete chain of certificates and all the intermediate certificates from your CA by using the Certificates tab in the Server Configuration Editor.
You can also delete the self-signed certificate prior to importing the CA signed certificate.
To import the certificate
- On the BMC Atrium SSO Admin Console, click Edit Server Configuration. The Server Configuration Editor is displayed.
On the Certificates tab, select KeyStore from the Certificate Store list.
Click Import. The Upload Certificate dialog box is displayed. You can upload the certificate by using one of the following options:
PEM Encoded Certificate — Use this option to copy the certificate details.
- HTTPS URL — Enter the host and port from which to capture a certificate.
DER/PEM/PKCS12 Encoded File — To import a key pair, upload the PEM-encoded PEM or DER files. To import a chain of certificates, upload the PKCS#12 file. When you select PKCS#12, an additional password field is provided, allowing you to enter the password for the keystore. This password is used for decrypting the private key of the signed certificate.
Click Upload. After the file is uploaded, the Import Certificate Editor is displayed. This editor displays all the information about the imported certificate. If the certificate that you have imported is a chained certificate, the hierarchy of the certificate chain is displayed in the Import Certificate Editor.
Enter the alias (tomcat) for each certificate or key pair that you are uploading to the KeyStore.
Click OK to close the Import Certificate Editor. You are prompted to confirm whether you want to copy the same certificate in the TrustStore. Based on your confirmation, the certificate is created, and it appears in the list of TrustStore certificates as well.
You must choose to copy the certificate while creating a new key pair. You must also copy the same the certificate to the TrustStore on other nodes when BMC Atrium Single Sign-On is deployed in HA mode.
To verify whether the certificate has been imported into the truststore, see Checking the truststore for certificates.
- Click Save to close the Server Configuration Editor.
- Stop and restart the BMC Atrium Single Sign-On server.