Self Service Password Reset manages your users credentials and you must ensure that it communicates over secure channels to secure the users credentials. When you run the Configuration Guide, Self Service Password Reset auto-generates certificates and private keys that it uses to create the HTTPS connections. These auto-generated certificates and private keys are not created by a well-known or commercial certificate authority. This means that if you use these certificates, the users see a warning message in their browser stating the connection is not secure.
To have the message stop you must generate and import a commercial X.509 certificate. The X.509 certificate must contain the following information:
The X.509 public and private key pair.
The corresponding X.509 certificate.
All of the root certificates in the key chain. This includes the server certificate and keypair, plus the certificate authority (CA) certificate and any intermediate CA certificates.
Self Service Password Reset supports two files types. The file types are:
A PKCS12 also known as PFX file. This is a common format for backing up and transferring an X.509 public key certificate and it's matching private key, along with the root certificates.
A Java or Tomcat key file. This is commonly used by Java applications to store their X.509 public key certificates, private keys, and root certificates.
NOTE:On previous Windows installations, customers would have created the key file via Tomcat and managed it directly.
The following steps for the Windows installation and the appliance version of Self Service Password Reset.
To import a commercial X.509 certificate:
You must generate the appropriate certificate for your environment.
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Settings > HTTPS Server.
Configure the following settings:
Import the X.509 certificate that you generated.
Select one or more TLS protocols that the certificate supports. Changes to this setting require a server restart.
Specify the HTTPS TLS ciphers accepted by Self Service Password Reset. The value for this setting is an ordered, comma separated list of Java SSE provided cipher names. Changes to this setting require a server restart.
In the toolbar, click Save changes, then restart the server if required.
After you have imported the certificate, you can view the details of the certificate in the Configuration Manager. For more information, see Working with the Configuration Manager.