Replace self-signed certificate with certificate reply from Certificate Authority (CA)

  1. Create a Certificate Signing Request (CSR) for the session server and send it to the CA of your choice. When you receive the signed certificate from the CA, then:

  2. Import the CA-signed certificate/chain into the session server’s keystore.

    You can accomplish this task using either KeyStore Explorer or the Java Keytool command line instructions. Whatever tool you decide to use, if the CA Reply contains separate root and intermediate certificate files, import the root certificate into the keystore first, followed by the intermediate certificate.

    Using this tool

    Do this...

    Keystore Explorer

    1. Open keystore.bcfks in KeyStore Explorer. Use the password changeit.

    2. If separate root and intermediate certificate files are available, from the tool bar, select Import Trusted Certificate to import certificates.

    3. Select the servlet-engine key pair. Right-click and select Import CA Reply to import the file into the key pair.

    4. If prompted, enter the password, changeit.

    5. Browse to the location where the CA Reply file is stored, select the file, and click Import.

    JavaKeytool

    These examples use keytool command at the sessionserver\etc directory.

    Windows

    Import Root CA and intermediate certificates

    ..\..\java\bin\keytool.exe -importcert -alias rootca -trustcacerts -file <RootCA.cer> -keystore keystore.bcfks –storetype bcfks -storepass changeit

    ..\..\java\bin\keytool.exe -importcert -alias intermediateca -trustcacerts -file <IntermediateCA.cer> -keystore keystore.bcfks –storetype bcfks -storepass changeit -providername BCFIPS -providerpath ../lib/bc-fips-*.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

    Import CA Reply

    ..\..\java\bin\keytool.exe -importcert -alias servlet-engine -trustcacerts -file <CertChainFromCA.p7b> -keystore keystore.bcfks –storetype bcfks -storepass changeit -providername BCFIPS -providerpath ../lib/bc-fips-*.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

    JavaKeytool

    UNIX

     

    Import Root CA and intermediate certificates

    ../../java/bin/keytool -importcert -alias rootca -trustcacerts -file <RootCA.cer> -keystore keystore.bcfks –storetype bcfks -storepass changeit -providername BCFIPS -providerpath ../lib/bc-fips-*.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

    ../../java/bin/keytool -importcert -alias intermediateca -trustcacerts -file <IntermediateCA.cer> -keystore keystore.bcfks –storetype bcfks -storepass changeit -providername BCFIPS -providerpath ../lib/bc-fips-*.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

    Import CA Reply

    ../../java/bin/keytool -importcert -alias servlet-engine -trustcacerts -file <CertChainFromCA.p7b> -keystore keystore.bcfks –storetype bcfks -storepass changeit -providername BCFIPS -providerpath ../lib/bc-fips-*.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

  3. Trust the new certificate in MSS.

    • As the administrator, log into MSS.

    • From the left panel, click Configure Settings > Trusted Certificates.

    • Select Trusted Sub-System. The list contains the certificates that are trusted by MSS.

    • Click IMPORT to add the session server certificate to the list.

    • There is no need to repeat the procedure for each MSS. Changes are automatically replicated to other MSS in the cluster.

    There is detailed help available in the Administrative Console help -Trusted Certificates.