Tech Tip – How to obtain and import a Trusted Certificate for CA SSO Administrative UI

openssl certificate
Introduction

This scenario helps the CA Single Sign-On security Administrator to replace Administrative UI server’s default self-signed certificate with a certificate signed by a trusted Certificate Authority (CA). A trusted certificate ensures a secure connection to the Administrative UI .

Environment:
  • Product: CA Single Sign-On Administrative UI
  • Release: 12.52SP2 and above
  • OS: All supported operating systems
Instructions:

1.  Stop Administrative UI service.

2.  Backup existing Key Store

CA Single Sign-On Administrative UI stores it’s certificate in keyStore.jks file located at $AdminUI_Install_Directory$\standalone\configuration folder.

Before proceeding with replacing the self-signed certificate with the trusted certificate, backup this keyStore.jks file.

3.  List current entries from the keystore

Start a command prompt as Administrator and go to following folder:

$AdminUI_Install_Directory$\standalone\configuration

Then, execute following command to list current entries from the keystore


keytool -list -keystore keyStore.jks -storepass changeit -v

Note:

  • The default keystore password is “changeit”
  • The alias for the default self-signed certificate and keypair is “tomcat”

keytool_listcerts iamtechtips

4.  Delete current self-signed certificate and key pair from the keystore

Run the following command to delete the current self-signed certificate and keypair


keytool -delete -alias tomcat -keystore keyStore.jks -storepass changeit -v

delete_keypair_cert

5.  Generate a Key Pair and a Self-Signed Certificate

Generate a key pair (public and private keys) and a self-signed certificate and store in the CA Single Sign-On Administrative UI keystore using the following keytool command.


keytool -genkeypair -alias JBoss_Key -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -dname "CN=vm1.ca.com" -keypass changeit -validity 7300 -keystore keyStore.jks -storepass changeit -v

Note:

  • We changed the alias for the new self-signed certificate to “JBoss_Key”.
  • Keypass (-keypass) must be same as the key store (-storepass) password
  • Ensure that hostname (-dname) matches the FQDN of your Administrative UI server

generate_keypair_certs iamtechtips

 

A key pair and a self-signed certificate are generated and stored in the keystore.

6.  Go to $AdminUI_Install_Directory$\standalone\configuration and edit standalone-full.xml

Change


<ssl>
<keystore <strong>alias="tomcat"</strong> key-password="changeit" keystore-password="changeit" path="keyStore.jks" relative-to="jboss.server.config.dir"/>
</ssl>

to


<ssl>
<keystore <strong>alias="jboss_key"</strong> key-password="changeit" keystore-password="changeit" path="keyStore.jks" relative-to="jboss.server.config.dir"/>
</ssl>

7.  Start the SiteMinder Administrative UI service and verify if the new self-signed certificate is into effect.

Now, if you want to replace the self-signed certificate just created with the trusted certificate signed by Certificate Authority then proceed with the below steps.

8.  Stop Administrative UI.

9.  Generate and Submit a Certificate Signing Request to a Certificate Authority

Generate a PKCS#10 Certificate Signing Request file using the following keytool command and submit to a trusted CA. CA uses the CSR file to generate a signed certificate identifying your server as secure.


keytool -certreq -alias JBoss_Key -sigalg SHA1withRSA -file adminui_certreq.p10 -keystore keyStore.jks -storepass changeit -v

A CSR file “adminui_certreq.p10” is generated.

10. Submit the “adminui_certreq.p10” CSR file to a trusted CA for signing.

11. When you receive the signed certificate from CA, run the following command to import it.


keytool -importcert -alias JBoss_Key -file adminui_cert.p7b -keystore keyStore.jks -storepass changeit -v

Note:

  • adminui_cert.p7b is the signed certificate request from CA in PKCS#7 format. PKCS#7 format contains the server certificates, intermediate certificate (if any) and root certificates.
  • If only server certificate is provided, then you might need to separately import the intermediate and root certificate as well.
  • This overwrites the previously created self-signed certificate with the certificate provided by the CA.

12. Start Administrative UI service and verify if the new trusted certificate is into effect.

 

Leave a Reply