Configuring Identity Server to Use an Externally Signed Certificate

This section explains how to enable SSL between Identity Servers and browsers.

  1. Click Devices > Identity Servers > Edit.

  2. Change Protocol to HTTPS (the system changes the port to 8443).

  3. In the SSL Certificate line, click the Browse icon > Replace and select the Identity Server certificate.

  4. Restart Tomcat.

    If your Identity Server and Administration Console are on the same machine, log in to Administration Console again.

  5. After the Identity Server health turns green, go to Access Gateway > Edit > Service Provider Certificates > Trusted Roots.

  6. Click Add to select the trusted root certificate of the certificate authority that signed Identity Server certificate.

    (Conditional) If you imported intermediate certificates for the CA, select them also.

    IMPORTANT:If the external certificate authority writes the DN in reverse order (the cn element is displayed first), you receive an error message that the certificate names do not match. You can ignore this warning, if the order of the DN elements is the cause.

  7. Update Access Gateway.

To test the SSL connection between the browser and Identity Server:

  1. Enter the Base URL of Identity Server in a browser.

    https://idpa.test.novell.com:8443/nidp
  2. If the URL returns a login page, log in using the credentials of a user in the LDAP server.

    The user portal appears.

    If the URL returns an error rather than displaying a login page, verify the following:

    • The browser trusts the CA that created the certificate.

    • The browser can resolve the DNS name of Identity Server

    • The browser can access port 8443.

  3. Verify that the trusted relationship between Identity Server and Access Gateway has been reestablished.

    1. Enter the URL to a protected resource on Access Gateway.

    2. Complete one of the following: