Replace Self-signed Certificate with Certificate Reply from Certificate Authority
- Create a Certificate Signing Request (CSR) for the session server and send it to the certificate authority of your choice (CA) of your choice. When you receive the signed certificate from the CA, then:
-
Import the CA-signed certificate/chain into the session server’s keystore.
You can accomplish this task using either KeyStore Explorer or the Java Keytool command line instructions. Whatever tool you decide to use, if the CA Reply contains separate root and intermediate certificate files, import the root certificate into the keystore first, followed by the intermediate certificate.
Using Keystore Explorer
- Open
keystore.bcfks
in KeyStore Explorer. Use the password changeit. - If separate root and intermediate certificate files are available, from the tool bar, select Import Trusted Certificate to import certificates.
- Select the servlet-engine key pair. Right-click and select Import CA Reply to import the file into the key pair.
- If prompted, enter the password, changeit.
- Browse to the location where the CA Reply file is stored, select the file, and click Import.
Using Java Keytool
These examples use keytool command at the
sessionserver\etc
directory.For Windows:
Import Root CA and intermediate certificates
Import CA Reply..\..\java\bin\keytool.exe -importcert -alias rootca -trustcacerts -file <RootCA.cer> -keystore keystore.bcfks –storetype bcfks -storepass changeit ..\..\java\bin\keytool.exe -importcert -alias intermediateca -trustcacerts -file <IntermediateCA.cer> -keystore keystore.bcfks –storetype bcfks -storepass changeit -providername BCFIPS -providerpath ../lib/bc-fips-*.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
java ..\..\java\bin\keytool.exe -importcert -alias servlet-engine -trustcacerts -file <CertChainFromCA.p7b> -keystore keystore.bcfks –storetype bcfks -storepass changeit -providername BCFIPS -providerpath ../lib/bc-fips-*.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
For Unix:
Import Root CA and intermediate certificates
Import CA Reply../../java/bin/keytool -importcert -alias rootca -trustcacerts -file <RootCA.cer> -keystore keystore.bcfks –storetype bcfks -storepass changeit -providername BCFIPS -providerpath ../lib/bc-fips-*.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider ../../java/bin/keytool -importcert -alias intermediateca -trustcacerts -file <IntermediateCA.cer> -keystore keystore.bcfks –storetype bcfks -storepass changeit -providername BCFIPS -providerpath ../lib/bc-fips-*.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
../../java/bin/keytool -importcert -alias servlet-engine -trustcacerts -file <CertChainFromCA.p7b> -keystore keystore.bcfks –storetype bcfks -storepass changeit -providername BCFIPS -providerpath ../lib/bc-fips-*.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
- Open
-
Trust the new certificate in MSS.
-
As the administrator, log into MSS.
-
From the left panel, click Configure Settings > Trusted Certificates.
-
Select Trusted Sub-System. The list contains the certificates that are trusted by MSS.
-
Click IMPORT to add the session server certificate to the list.
-
There is no need to repeat the procedure for each MSS. Changes are automatically replicated to other MSS in the cluster.
-
There is detailed help available in the Administrative Console help -Trusted Certificates.