52.3 Enabling SSL with a External CA Signed Certificate

For a production environment, use a signed certificate issued by a valid Certificate Authority. This section explains how to import a signed certificate into the default Tomcat application server for the identity applications.

This procedure assumes that you have a signed certificate from a valid Certificate Authority. For more information, see Creating a Keystore and Certificate Signing Request.

To use a signed certificate and SSL:

  1. Copy the certificate in the configuration directory of your application server. For example, opt/netiq/idm/apps/tomcat/conf.

  2. To convert the root certificate to DER format, complete the following steps:

    1. Double-click on your certificate stored in the conf directory.

    2. In the Certificate dialog, click Certificate Path.

    3. Select the root certificate that you received from the signing authority.

    4. Click View Certificate.

    5. Click Details > copy to file.

    6. In the Export Certificate Wizard, click next.

    7. Select DER encoded binary for X.509 (.CER) and then click next.

    8. Create a new file to store the newly formatted certificate and store it in the conf directory for your application server.

      For example, opt/netiq/idm/apps/tomcat/conf.

    9. Click Finish.

  3. To import the converted certificate, complete the following steps:

    1. In a command prompt, navigate to the conf directory for your application server.

    2. Enter the following command:

      keytool -import -trustcacerts -alias root -keystore your.keystore -file yourRootCA.der

      For example:

      keytool -import -trustcacerts -alias root -keystore IDMkey.keystore -file IDMTESTREE.der

      NOTE:You must specify root as your alias.

      After importing the certificate, the server displays Certificate was added to keystore.

    3. Verify that the signed certificate is imported correctly into the conf directory using the following command:

      keytool -list -v -alias root -keystore your.keystore

      For example:

      keytool -list -v -alias root -keystore IDMkey.keystore

      The server lists your certificates.

  4. NetIQ recommends you to import the signed certificates to Java cacerts location also. For example: 

    keytool -import -trustcacerts -alias root -keystore /opt/netiq/idm/jre/lib/security/cacerts -file IDMTESTREE.der

  5. Update the SSL settings for the application server, see Updating the SSL Settings for the Application Server.

  6. Update the SSL settings in the Configuration utility. For more information, see Updating the SSL Settings in the Configuration Utility.

  7. Update the SSL settings for Self Service Password Reset. For more information, see Updating the SSL Settings for Self Service Password Reset

  8. Restart Tomcat.