Change self signed certificate to External CA signed certificate

We are trying to change a self signed certificate that was created during our IDM installation process to a external CA signed certificate. Tried to followed the instuctions (Enabling SSL with a External CA Signed Certificate - NetIQ Identity Manager - Administrator’s Guide to the Identity Applications) to add the root certificate to tomcat.ks but it it will not pick up that certificate (seems that it still using the self created one). My question if there is something else  we also need to configure to make this work? We have change all the URLs to use a DNS-alias (that parts seems to work).

IDM: 4.8 on Linux RHEL 8

  • 0  

    I do not think that after install, the tomcat.ks will be updated by anything to add in the new public key.  You will need to use Keytool or some other tool to export the private key and save it in a file named tomcat.ks and copy the file into the proper location.

    The public key should also be able to import via the configupdate.sh I think.  But I find it much safer to always check the various keystores with keytool and make sure the new public key is present where needed.

  • 0  

    Geoffrey describes in his post what to do in principle.

    When using wildcard certificates in a Tomcat key store, it is very important that the complete chain is present in the wildcard, i.e. the root certificate, the intermediate certificate and the wildcard itself. The chain should be available in PKCS#7 or PCKCS#8 format. The keystore password for a keystore is usually. changeit

    Expired certificates or self-signed (expired) certificates may have to be removed from the keystore. In this case, it may make sense to back up the keystore and start from scratch

    Here is an example to “look inside” a keystore
    keytool -list -keystore /usr/java/jdkxxxx/jre/lib/security/cacerts
    Enter keystore password: changeit

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 94 entries

    digicertassuredidrootca, Apr 16, 2008, trustedCertEntry,
    Certificate fingerprint (SHA1): 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43
    comodorsaca, May 12, 2015, trustedCertEntry,

    I just don't have the time to describe the whole process, a good baking guide can be found in the documentation of OT Vibe or just fire up google and search for vibe and wildcard and keystore, there are really good hints

    George

    “You can't teach a person anything, you can only help them to discover it within themselves.” Galileo Galilei

  • 0 in reply to   

    Thanks much for your reply.

    I tried to do this from scratch as well. I removed the tomcat.ks and created a new one (followed this guide: Creating a Keystore and Certificate Signing Request - NetIQ Identity Manager - Administrator’s Guide to the Identity Applications)

    I added the root cert: Enabling SSL with a External CA Signed Certificate - NetIQ Identity Manager - Administrator’s Guide to the Identity Applications

    And also the intermediate certificat.

    When I then tries to go to the IDM url it will not pick up those certificate. 

    The certificate path has the name of the fully qualified name of the server I specified during the creation steps of the tomcat.ks