If you want to use a self-signed certificate in your test environment, since this type of certificate is easier to obtain than a signed certificate from a valid authority.
You can use iManager to export the Certificate Authority (CA) from your eDirectory server to generate your self-signed certificate.
Log in to iManager with the eDirectory administrator’s username and password.
Click Administration > Modify Object.
In the Security container, browse to the CA object called TreeName CA.Security. For example, IDMTESTTREE CA.Security.
Click OK.
Click Certificates > Self-Signed Certificate.
Select the self-signed certificate that you want to use.
Example: Self Signed Certificate RSA
Check Self Signed Certificate RSA.
Click Validate.
Click Export.
Clear Export private key.
Click Export format > DER.
Click Next.
Click Save the exported certificate.
Click Save File.
iManager saves the file as TreeName cert.der. For example, IDMTESTREE cert.der.
Click Close.
Copy the certificate in the configuration directory of your application server (cert.der).
For example, /opt/netiq/idm/apps/tomcat/conf or C:\NetIQ\idm\apps\tomcat\conf.
To import the root certificate, complete the following steps:
In a command prompt, navigate to the conf directory for your application server using following command:
keytool -import -trustcacerts -alias root -keystore <keystore file>.keystore -file exported_certificate_filename.der
Example:
keytool -import -trustcacerts -alias root -keystore tomcat.ks -file cert.der
NOTE:You must specify root as your alias.
After importing the certificate, the server displays Certificate was added to keystore.
NetIQ recommends you to import root certificate to Java cacerts location also.
For example:
keytool -import -trustcacerts -alias root -keystore /opt/netiq/common/jre/lib/security/cacerts -file cert.der
or
keytool -import -trustcacerts -alias root -keystore C:\NetIQ\idm\jre\lib\security\cacerts -file cert.der
Verify the signed certificate is imported correctly in the conf directory by using following command:
keytool -list -v -alias root -keystore keystore_name
For example,
keytool -list -v -alias root -keystore tomcat.ks
The server lists the certificates.
Before generating the self-signed certificate, ensure that you have a keystore and certificate request file. For more information see Creating a Keystore and Certificate Signing Request.
Log in to iManager.
Navigate to Certificate Server > Issue Certificate.
Browse to the .csr file created in Step 7 in the Creating a Keystore and Certificate Signing Request.
Example: IDMcertrequest.csr
Click Next twice.
For the certificate type, click Unspecified.
Click Next twice.
iManager saves the file as csr_request_name.der. Example: IDMcertrequest.der
Copy the certificate in the configuration directory of your application server (IDMcertrequest.der).
For example, /opt/netiq/idm/apps/tomcat/conf or C:\NetIQ\idm\apps\tomcat\conf.
To import the generated self-signed certificate, complete the following steps:
In a command prompt, navigate to the conf directory for your application server using following command:
keytool -import -alias alias_name -keystore <keystore_file> -file <signed_certificate_filename>.der
For example,
keytool -import -alias IDMkey -keystore tomcat.ks -file IDMcertrequest.der
NOTE:You must specify the keystore name as your alias.
After importing the certificate, the server displays Certificate was added to keystore.
NetIQ recommends that you also import the self-signed certificate to the Java cacerts location.
For example:
keytool -import -alias IDMkey -keystore /opt/netiq/common/jre/lib/security/cacerts -file IDMcertrequest.der
or
keytool -import -alias IDMkey -keystore C:\NetIQ\idm\jre\lib\security\cacerts -file IDMcertrequest.der
Verify the signed certificate is imported correctly in the conf directory using the following command:
keytool -list -v -alias alias_name -keystore keystore_name
For example,
keytool -list -v -alias IDMkey -keystore tomcat.ks
The server lists the certificates.
Update the SSL settings for the Application server. For more information, see Updating the SSL Settings for the Application Server.
Update the SSL settings in the Configuration utility. For more information, see Updating the SSL Settings in the Configuration Utility.
Update the SSL settings for Self Service Password Reset. For more information, see Updating the SSL Settings for Self Service Password Reset
Restart Tomcat.