2.3 Managing Digital Certificates

You can add and activate certificates for the appliance in the Digital Certificates tab. You can create your own certificate and then have it signed by a CA, or you can use an existing certificate and key pair.

IMPORTANT:In this section, you can only manage certificates for the Advanced Authentication appliance (port 9443). To change the certificates for the Advanced Authentication application (port 443), goto the Server Options tab in the Administration portal.

The appliance is shipped with a self-signed digital certificate. Instead of using this self-signed certificate, it is recommended that you use a trusted server certificate that is signed by a trusted certificate authority (CA) such as VeriSign or Equifax.

Use this tool to manage the appliance’s certificates and maintain its certificate store.

Table 2-2 Using the Digital Certificates Page

Option

Description

Certificates in the Selected Key Store

Key Store

Use this drop-down list to filter whether JVM or Web Application Certificates are listed.

File

This drop-down list lets you create a new key pair, import a trusted certificate or key pair, export a certificate you have selected in the list, or generate a Certificate Signing Request for a web application that you have selected.

Edit

This exposes the option to delete a certificate that you have selected.

View Info

This lets you view the information for a selected certificate.

Reload

This lets you reload a selected certificate.

About Appliance Certificates

  • Self-signed Certificate: The Micro Focus Appliance ships with a self-signed digital certificate.

    If needed, you can generate appliance certificates and Certificate Sigining Requests for certificate authorities (CA) such as VeriSign or Equifax.

    However, the self-signed certificate included with the appliance should be sufficient for the vast majority of deployments because security practices generally dictate that appliances be deployed inside an organization’s.

  • Java Certificates: All certificates for the IBM Java package bundled with the underlying SLES OS are installed with the appliance.

Updating a Service That the Appliance Supports

Unless instructed otherwise in the service documentation, you do not need to update certificates when you update a service that the appliance supports.

Managing Certificates

Creating a New Self-Signed Certificate

  1. In the Port 9443 Console Digital Certificates > Key Store drop-down list, ensure that Web Application Certificates is selected.

  2. Click File > New Certificate (Key Pair), then specify the following information:

    Alias: Specify a name that you want to use to identify and manage this certificate.

    Validity (days): Specify how long you want the certificate to remain valid.

    Key Algorithm: Select either RSA or DSA.

    Key Size: Select the desired key size.

    Signature Algorithm: Select the desired signature algorithm.

    Common Name (CN): This must match the server name in the URL in order for browsers to accept the certificate for SSL communication.

    Organizational Unit (OU): (Optional) Small organization name, such as a department or division. For example, Purchasing.

    Organization (O): (Optional) Large organization name. For example, Micro Focus

    City or Lacality (L): (Optional) City name. For example, Provo.

    State or Province (ST): (Optional) State or province name. For example, Utah.

    Two-letter Country Code (C): (Optional) Two-letter country code. For example, US.

  3. Click OK to create the self-signed certificate.

Getting a Certificate Signed by a Certificate Authority

  1. After selecting the self-signed certificate, click File > Certificate Requests > Generate CSR.

  2. Send the certificate to a certificate authority (CA), such as Verisign, using whatever process they have defined.

    Usually, the CA takes your Certificate Signing Request (CSR) and generates an official certificate based on the information in the CSR. The CA then mails the new certificate and certificate chain back to you.

  3. After you have received the certificate and certificate chain from the CA:

    1. Revisit the Digital Certificates page by clicking Digital Certificates from the appliance.

    2. Click File > Import > Trusted Certificate. Browse to the trusted certificate chain that you received from the CA, then click OK.

    3. Select the self-signed certificate, then click File > Certification Request > Import CA Reply.

    4. Browse to and upload the official certificate to be used to update the certificate information.

      On the Digital Certificates page, the name in the Issuer column for your certificate changes to the name of the CA that stamped your certificate.

  4. Activate the certificate, as described in Activating a Certificate.

Using an Existing Certificate and Key Pair

When you use an existing certificate and key pair, use a .P12 key pair format.

  1. Click the Digital Certificates icon.

  2. Click File > Import > Trusted Certificate. Browse to and select your existing certificate, then click OK.

  3. Click File > Import > Trusted Certificate. Browse to your existing certificate chain for the certificate that you selected in Step 2, then click OK.

  4. Click File > Import > Key Pair, then browse to and select your P12 key pair file, specify your password if needed, then click OK.

    Because of a browser compatibility issue with HTML 5, the path to the certificate is sometimes shown as c:\fakepath. This does not adversely affect the import process.

  5. Continue with Activating a Certificate.

Activating a Certificate

  1. On the Digital Certificates page, select the certificate that you want to make active, click Set as Active, then click Yes.

  2. Verify that the certificate and the certificate chain were created correctly by selecting the certificate and clicking View Info.

Exporting a Certificate

You can export the built-in self signed certificate and upload the same to the Administration portal through HTTPS Options policy.

  1. On the Digital Certificates page, select Web Application Certificates from Key Store.

  2. Select the self-signed certificate and click File > Export > Key Pair.

  3. Specify the password to export the certificate and click OK.

    The certificate exports in .p12 format.

NOTE:You can convert the certificate to .pem format using the following OpenSSL command:

openssl pkcs12 -in path.p12 -out newfile.pem

Before uploading the .pem file to Administration portal ensure the file contains the text -----BEGIN PRIVATE KEY-----. If the private key is encrypted -----BEGIN ENCRYPTED PRIVATE KEY-----, then run the following command to decrypt the key:

openssl pkey -in newfile.pem -out foo.key