Access Manager comes with certificates for testing purposes. The test certificates are called test-signing, test-encryption, test-provider, test-consumer, and test-connector. At a minimum, you must create two SSL certificates: one for Identity Server test-connector and one for the Access Gateway reverse proxy. Then you replace the predefined certificates with the new ones.
If you install a secondary Administration Console, the certificate authority (CA) is installed with the first instance of eDirectory, and the secondary consoles have eDirectory replicas and therefore no CA software. All certificate management must be done from the primary Administration Console. Certificate management commands issued from a secondary Administration Console can work only if the primary console is also running properly. Other commands can work independently of the primary console.
NOTE:It is recommended to recreate the certificates after upgrading Access Manager to 4.2. Certificates created in Access Manager 4.1 or earlier versions use SHA-1 ciphers by default. In Access Manager 4.2 onward, certificates are created using SHA-2 ciphers by default.
IMPORTANT:Before generating any certificates with the Administration Console CA, ensure that time is synchronized within one minute among all of your Access Manager devices. If the time of the Administration Console is ahead of the device for which you are creating the certificate, the device rejects the certificate.
In the Administration Console, click Security > Certificates.
Select from the following actions:
New: To create a new certificate, click New. For information about the fields you need to fill in, see Creating a Locally Signed Certificate and Generating a Certificate Signing Request.
Delete: To delete a certificate, select the certificate, then click Delete. If the certificate is assigned to a keystore, a warning message appears. You must remove a certificate from all keystores before it can be deleted.
Import Private/Public Keypair: To import a key pair, click Actions > Import Private/Public Keypair. For more information, see Importing a Private/Public Key Pair.
Add Certificate to Keystores: To add a certificate to a keystore, click Actions > Add Certificate to Keystore. For more information, see Adding a Certificate to a Keystore.
View Certificate Details: To view certificate details, renew a certificate, or export keys, click the name of the certificate. For more information, see Viewing Certificate Details.