Introduction
This scenario helps the CA Single Sign-On security Administrator to replace Administrative UI server’s default self-signed certificate with a certificate signed by a trusted Certificate Authority (CA). A trusted certificate ensures a secure connection to the Administrative UI .
Environment:
- Product: CA Single Sign-On Administrative UI
- Release: 12.52SP2 and above
- OS: All supported operating systems
Instructions:
1. Stop Administrative UI service.
2. Backup existing Key Store
CA Single Sign-On Administrative UI stores it’s certificate in keyStore.jks file located at $AdminUI_Install_Directory$\standalone\configuration folder.
Before proceeding with replacing the self-signed certificate with the trusted certificate, backup this keyStore.jks file.
3. List current entries from the keystore
Start a command prompt as Administrator and go to following folder:
$AdminUI_Install_Directory$\standalone\configuration
Then, execute following command to list current entries from the keystore
keytool -list -keystore keyStore.jks -storepass changeit -v
Note:
- The default keystore password is “changeit”
- The alias for the default self-signed certificate and keypair is “tomcat”
4. Delete current self-signed certificate and key pair from the keystore
Run the following command to delete the current self-signed certificate and keypair
keytool -delete -alias tomcat -keystore keyStore.jks -storepass changeit -v
5. Generate a Key Pair and a Self-Signed Certificate
Generate a key pair (public and private keys) and a self-signed certificate and store in the CA Single Sign-On Administrative UI keystore using the following keytool command.
keytool -genkeypair -alias JBoss_Key -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -dname "CN=vm1.ca.com" -keypass changeit -validity 7300 -keystore keyStore.jks -storepass changeit -v
Note:
- We changed the alias for the new self-signed certificate to “JBoss_Key”.
- Keypass (-keypass) must be same as the key store (-storepass) password
- Ensure that hostname (-dname) matches the FQDN of your Administrative UI server
A key pair and a self-signed certificate are generated and stored in the keystore.
6. Go to $AdminUI_Install_Directory$\standalone\configuration and edit standalone-full.xml
Change
<ssl> <keystore <strong>alias="tomcat"</strong> key-password="changeit" keystore-password="changeit" path="keyStore.jks" relative-to="jboss.server.config.dir"/> </ssl>
to
<ssl> <keystore <strong>alias="jboss_key"</strong> key-password="changeit" keystore-password="changeit" path="keyStore.jks" relative-to="jboss.server.config.dir"/> </ssl>
7. Start the SiteMinder Administrative UI service and verify if the new self-signed certificate is into effect.
Now, if you want to replace the self-signed certificate just created with the trusted certificate signed by Certificate Authority then proceed with the below steps.
8. Stop Administrative UI.
9. Generate and Submit a Certificate Signing Request to a Certificate Authority
Generate a PKCS#10 Certificate Signing Request file using the following keytool command and submit to a trusted CA. CA uses the CSR file to generate a signed certificate identifying your server as secure.
keytool -certreq -alias JBoss_Key -sigalg SHA1withRSA -file adminui_certreq.p10 -keystore keyStore.jks -storepass changeit -v
A CSR file “adminui_certreq.p10” is generated.
10. Submit the “adminui_certreq.p10” CSR file to a trusted CA for signing.
11. When you receive the signed certificate from CA, run the following command to import it.
keytool -importcert -alias JBoss_Key -file adminui_cert.p7b -keystore keyStore.jks -storepass changeit -v
Note:
- adminui_cert.p7b is the signed certificate request from CA in PKCS#7 format. PKCS#7 format contains the server certificates, intermediate certificate (if any) and root certificates.
- If only server certificate is provided, then you might need to separately import the intermediate and root certificate as well.
- This overwrites the previously created self-signed certificate with the certificate provided by the CA.
12. Start Administrative UI service and verify if the new trusted certificate is into effect.