42.4 Enabling SSL with a Self-signed Certificate

If you want to use a self-signed certificate in your test environment, since this type of certificate is easier to obtain than a signed certificate from a valid authority.

42.4.1 Exporting the Certificate Authority

You can use iManager to export the Certificate Authority (CA) from your eDirectory server to generate your self-signed certificate.

  1. Log in to iManager with the eDirectory administrator’s username and password.

  2. Click Administration > Modify Object.

  3. In the Security container, browse to the CA object called TreeName CA.Security. For example, IDMTESTTREE CA.Security.

  4. Click OK.

  5. Click Certificates > Self-Signed Certificate.

  6. Select the self-signed certificate that you want to use.

    Example: Self Signed Certificate RSA

    1. Check Self Signed Certificate RSA.

    2. Click Validate.

  7. Click Export.

  8. Clear Export private key.

  9. Click Export format > DER.

  10. Click Next.

  11. Click Save the exported certificate.

  12. Click Save File.

    iManager saves the file as TreeName cert.der. For example, IDMTESTREE cert.der.

  13. Click Close.

  14. Copy the certificate in the configuration directory of your application server (cert.der).

    For example, /opt/netiq/idm/apps/tomcat/conf or C:\NetIQ\idm\apps\tomcat\conf.

  15. To import the root certificate, complete the following steps:

    1. In a command prompt, navigate to the conf directory for your application server using following command:

      keytool -import -trustcacerts -alias root -keystore <keystore file>.keystore -file exported_certificate_filename.der

      Example:

      keytool -import -trustcacerts -alias root -keystore tomcat.ks -file cert.der

      NOTE:You must specify root as your alias.

      After importing the certificate, the server displays Certificate was added to keystore.

    2. NetIQ recommends you to import root certificate to Java cacerts location also.

      For example:

      keytool -import -trustcacerts -alias root -keystore /opt/netiq/common/jre/lib/security/cacerts -file cert.der

      or

      keytool -import -trustcacerts -alias root -keystore
C:\NetIQ\idm\jre\lib\security\cacerts -file cert.der

    3. Verify the signed certificate is imported correctly in the conf directory by using following command:

      keytool -list -v -alias root -keystore keystore_name

      For example,

      keytool -list -v -alias root -keystore tomcat.ks

      The server lists the certificates.

42.4.2 Generating the Self-signed Certificate

Before generating the self-signed certificate, ensure that you have a keystore and certificate request file. For more information see Creating a Keystore and Certificate Signing Request.

  1. Log in to iManager.

  2. Navigate to Certificate Server > Issue Certificate.

  3. Browse to the .csr file created in Step 7 in the Creating a Keystore and Certificate Signing Request.

    Example: IDMcertrequest.csr

  4. Click Next twice.

  5. For the certificate type, click Unspecified.

  6. Click Next twice.

    iManager saves the file as csr_request_name.der. Example: IDMcertrequest.der

  7. Copy the certificate in the configuration directory of your application server (IDMcertrequest.der).

    For example, /opt/netiq/idm/apps/tomcat/conf or C:\NetIQ\idm\apps\tomcat\conf.

  8. To import the generated self-signed certificate, complete the following steps:

    1. In a command prompt, navigate to the conf directory for your application server using following command:

      keytool -import -alias alias_name -keystore <keystore_file> -file <signed_certificate_filename>.der

      For example,

      keytool -import -alias IDMkey -keystore tomcat.ks -file IDMcertrequest.der

      NOTE:You must specify the keystore name as your alias.

      After importing the certificate, the server displays Certificate was added to keystore.

    2. NetIQ recommends that you also import the self-signed certificate to the Java cacerts location.

      For example:

      keytool -import -alias IDMkey -keystore 
/opt/netiq/common/jre/lib/security/cacerts -file IDMcertrequest.der

      or

      keytool -import -alias IDMkey -keystore
C:\NetIQ\idm\jre\lib\security\cacerts -file IDMcertrequest.der

    3. Verify the signed certificate is imported correctly in the conf directory using the following command:

      keytool -list -v -alias alias_name -keystore keystore_name

      For example,

      keytool -list -v -alias IDMkey -keystore tomcat.ks

      The server lists the certificates.

  9. Update the SSL settings for the Application server. For more information, see Updating the SSL Settings for the Application Server.

  10. Update the SSL settings in the Configuration utility. For more information, see Updating the SSL Settings in the Configuration Utility.

  11. Update the SSL settings for Self Service Password Reset. For more information, see Updating the SSL Settings for Self Service Password Reset

  12. Restart Tomcat.