Use the Digital Certificates page to add and activate certificates for the appliance. You can use it to create your own certificate and then have it signed by a CA, or you can use an existing certificate and key pair if you have one that you want to use.
The appliance ships with a self-signed certificate with the default name of self-signed_cert. Instead of using this self-signed certificate, NetIQ recommends that you use a trusted server certificate that is signed by a trusted certificate authority (CA), such as VeriSign or Equifax.
Refer to the following sections to change the appliance certificate:
Most browsers require a Subject Alternate Name in the certificate or they return security errors. To avoid these errors when you create a certificate for Secure API Manager it must contain the following items:
RSA key size and algorithm to be at least 2k and SHA256
Subject Alternate Name must be the domain name of the appliance
Key usage as server TLS
In production environments, NetIQ recommends that you get your certificate signed by an official certificate authority such as Verisign.
There are many different ways to generate a private key and a certificate signing request (CSR) to send to the CA to create and sign the certificate. The Secure API Manager appliance administration console does not allow you to add the Subject Alternate Name. If you use OpenSSL 1.1.0+ you do not have to modify the SSL configuration file when you generate the private key and create the CSR for your appliance that contains the Subject Alternate Name.
To create a certificate with the proper information:
Generate a private key for the appliance running Secure API Manager.
Use the private key to create the CSR ensuring that it includes the Subject Alternate Name as your domain name and the other required information.
Send the CSR to a CA to generate a signed certificate.
Build a pkcs12 format file (.p12) that contains the key pair certificate.
openssl pkcs12 -export -inkey myserver.key -in myserver.crt -out myserver.p12 -name myserver_cert -passin pass:changeit -passout pass:changeit 2>/dev/null
Upload the .p12 file to your Secure API Manager appliance.
Log in to the appliance management console at the vaadmin user.
https://ip-address-or-dns-name-appliance:9443
Click Digital Certificates.
Click File > Import > Trusted Certificate> Web Application Certificate.
Click File > Import > Keypair, then browse to the trusted certificate chain that you received from the CA, then click OK.
Select the self-signed certificate, then click File > Certification Request > Import CA Reply.
Browse to and upload the official certificate to update the certificate information.
On the Digital Certificates page, the name in the Issuer column for your certificate changes to the name of the CA that signed your certificate.
Active the certificate. For more information, see Activating the Certificate.
Restart Secure API Manager for all components to see the new certificate. For more information, see Restarting Secure API Manager.
You can create a self-signed certificate to enable the appliance for SSL communication or for production environments NetIQ recommends that you get your certificate signed by an official certificate authority such as Verisign.
By default, the appliance contains a self-signed certificate that contains the correct information and the Subject Alternate Name as the domain name of the appliance. If you changed the DNS name after deploying the appliance, the certificates no longer work. The appliance management console does not allow you to add the Subject Alternate Name when you manually create a self-signed certificate.
By default, the self-signed certificate alias is self-signed_cert. You can use this alias or any other alias that you choose.
If you have to create a new self-signed certificate with the correct Subject Alternate Name, use OpenSSL 1.1.0+ to generate the new key pair certificate and then upload the new certificate to the appliance. If you use OpenSSL, you do not have to edit the SSL configuration file.
On the appliance where you need to create a new certificate, ensure that you have enabled SSH for root. For more information, see Setting Administrative Passwords.
SSH to the appliance as root.
Access the directory where you store the certificates.
Enter the following command to generate the self-signed certificate with the proper extension:
openssl req -x509 -days 730 -subj "/CN=dns.name.com" -newkey rsa:2048 -sha256 -reqexts v3_req -extensions v3_req -config <(cat /etc/ssl/openssl.cnf <(printf '[v3_req]\nsubjectAltName=DNS:%s' "dns.name.com")) -keyout myserver.key -out myserver.crt -passout pass:changeit 2>/dev/null
(Condiational) If you are using OpenSSL 1.1.1+, you can use the following shortened command to build a pkcs12 format file (.p12) by entering the following ensuring that the name of the alias is self-signed_cert:
openssl pkcs12 -export -inkey myserver.key -in myserver.crt -out myserver.p12 -name self-signed_cert -passin pass:changeit -passout pass:changeit 2>/dev/null
Add this certificate following the existing certificate steps. For more information, see Using an Existing Certificate and Key Pair.
Instead of using a self-signed certificate, you can get your certificate signed by a trusted certificate authority such as Verisign.
On the Digital Certificates page, select the certificate that you just created, then click File > Certificate Requests > Generate CSR.
Select the keystore as a Web Application Certificate.
Click File > Import > Trusted Certificate> Web Application Certificate.
Click File > Import > Keypair, then browse to the trusted certificate chain that you received from the CA, then click OK.
Complete the process of emailing your certificate to a certificate authority (CA), such as Verisign.
The CA takes your Certificate Signing Request (CSR) and generates an official certificate based on the information in the CSR. The CA then emails the new certificate and certificate chain back to you.
After you have received the official certificate and certificate chain from the CA:
Revisit the Digital Certificates page.
Click File > Import > Trusted Certificate. Browse to the trusted certificate chain that you received from the CA, then click OK.
Select the self-signed certificate, then click File > Certification Request > Import CA Reply.
Browse to and upload the official certificate to be used to update the certificate information.
On the Digital Certificates page, the name in the Issuer column for your certificate changes to the name of the CA that stamped your certificate.
Activate the certificate. For more information, see Activating the Certificate.
When you use an existing certificate and key pair, use a .P12 key pair format.
Log in to the appliance management console as the vaadmin user.
https://ip-address-or-dns-name-appliance:9443
Click Digital Certificates.
In the Key Store drop-down menu, select Web Application Certificates.
Click File > Import > Trusted Certificate. Browse to and select your existing certificate, then click OK.
Click File > Import > Trusted Certificate. Browse to and select your existing certificate chain for the certificate that you selected in Step 4, then click OK.
In the Key Store drop-down menu, select Web Application Certificates.
Click File > Import > Key Pair. Browse to and select your .P12 key pair file, specify your password if needed, then click OK.
Continue with Activating the Certificate.
On the Digital Certificates page, in the Key Store drop-down menu, select Web Application Certificates.
Select the certificate that you want to make active, click Set as Active, then click Yes.
Verify that the certificate and the certificate chain were created correctly by selecting the certificate and clicking View Info.
When you have successfully activated the certificate, click Close to exit the page.
Restart Secure API Manager for all components to see the new certificate. For more information, see Restarting Secure API Manager.