Importing a certificate into the keystore
After generating a new certificate and getting it signed by a Certificate Authority (CA), you must import the certificate into the keystore. The certificate must be in
- Printable DER format (file extension .pem)
- Binary DER format (file extensions .cer, .crt, or .der)
- PKCS#12 format.
Note
You can now import the complete chain of certificates and all the intermediate certificates from your CA by using the Certificates tab in the Server Configuration Editor.
You can also delete the self-signed certificate prior to importing the CA signed certificate.
To import the certificate
- On the BMC Atrium SSO Admin Console, click Edit Server Configuration. The Server Configuration Editor is displayed.
On the Certificates tab, select KeyStore from the Certificate Store list.
Click Import. The Upload Certificate dialog box is displayed. You can upload the certificate by using one of the following options:
PEM Encoded Certificate — Use this option to copy the certificate details.
- HTTPS URL — Enter the host and port from which to capture a certificate.
DER/PEM/PKCS12 Encoded File — To import a key pair, upload the PEM-encoded PEM or DER files. To import a chain of certificates, upload the PKCS#12 file. When you select PKCS#12, an additional password field is provided, allowing you to enter the password for the keystore. This password is used for decrypting the private key of the signed certificate.
Click Upload. After the file is uploaded, the Import Certificate Editor is displayed. This editor displays all the information about the imported certificate. If the certificate that you have imported is a chained certificate, the hierarchy of the certificate chain is displayed in the Import Certificate Editor.
Enter the alias (tomcat) for each certificate or key pair that you are uploading to the KeyStore.
Click OK to close the Import Certificate Editor. You are prompted to confirm whether you want to copy the same certificate in the TrustStore. Based on your confirmation, the certificate is created, and it appears in the list of TrustStore certificates as well.
Recommendation
You must choose to copy the certificate while creating a new key pair. You must also copy the same the certificate to the TrustStore on other nodes when BMC Atrium Single Sign-On is deployed in HA mode.
To verify whether the certificate has been imported into the truststore, see Checking the truststore for certificates.
- Click Save to close the Server Configuration Editor.
- Stop and restart the BMC Atrium Single Sign-On server.
Comments
Should the Alias of the imported certificate be equal to 'tomcat' in keystore?
Should the default self-signed certificate with alias 'tomcat' be removed when importing a new certificate signed by trusted CA?
Hi Ivan,
Thank you for your comment. I will check with the concerned SME and get back to you.
Regards,
Kamal
Hi Ivan,
Thank you for your comment.
The alias is the tomcat alias and the user can delete the self-signed certificate prior to importing the CA signed certificate.
Regards,
Kamal
Ok,
In HA cluster, when importing the signed certificate into keystore, I see the following in the catalina logs during re-start of services:
Caused by: java.io.IOException: Alias name tomcat does not identify a key entry
I think the procedure for generating CSR and importing the signed certificates must be revised for HA. So far I haven't succeeded in setting up the cluster to work correctly.
Hi again,
I have finally succeeded setting up the certificates on my SSO nodes in the HA cluster. The steps I followed were the below ones:
keytool -v -certreq -alias tomcat -keystore keystore.p12 -storepass internal4bmc -storetype PKCS12 -dname "CN=SSOLB.corp.org,OU=AtriumSSO Server,O=BMC Software,L=Austin,ST=Texas,C=US" -ext san=dns:ssolb.corp.org,dns:ssonode1.corp.org,dns:ssonode2.corp.org,dns:ssolb,dns:ssonode1,dns:ssonode2 -file CLI.csr
The above will generate a CSR with SAN extension for the SSO loadbalancer, SSO node 1 and SSO node 2, using their FQDNs and short names.
keytool -importcert -alias tomcat -keystore keystore.p12 -storepass internal4bmc -storetype PKCS12 -providername JsafeJCE -file CLI-all.cer -trustcacerts
The tool will probably ask you if you would like to trust the CA certificates. Answer with "yes" and continue with a return on your keyboard.
keytool -delete -alias tomcat -keystore cacerts.p12 -storepass changeit -storetype PKCS12 -providername JsafeJCE
This will remove the old certificate with alias "tomcat" from cacerts. Continue with the next command:
keytool -importcert -alias tomcat -keystore cacerts.p12 -storepass changeit -storetype PKCS12 -providername JsafeJCE -file CLI-all.cer -trustcacerts
Again, answer "yes" if the tool asks you if you would like to trust the CA certificates.
keytool -list -v -keystore keystore.p12 -storepass internal4bmc -storetype PKCS12 -providername JsafeJCE
...and...
keytool -list -v -keystore cacerts.p12 -storepass changeit -storetype PKCS12 -providername JsafeJCE
One very important thing you need to check is if the "tomcat" entry in the keystore.p12 is having the following attribute:
Entry type: PrivateKeyEntry
If you see this after the list command on keystore.p12, plus the certificates you imported from "CLI-all.cer" in the entry, then you are good to go.
Hi Ivan,
Thank you for your comment and procedures. I will discuss with the concerned SME and edit the topic.
Regards,
Kamal
Hi,
If you allow, I would suggest to raise the following two things to the SMEs:
Kind Regards,
Ivan
Hi Ivan,
Ok.
Regards,
Kamal
Log in or register to comment.