Symantec Identity Suite - Replace Apache Self-Signed Cert changes permissions.

book

Article ID: 242571

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager

Issue/Introduction

We are unable to replace the default, self-signed Apache certs for port 443 in /opt/CA/VirtualAppliance/custom/apache-ssl-certificates/.  By default the localhost.key and localhost.crt files are owned by config and belong to the apache group.  Overwriting the cert and key files switches the apache group to config group and removes apache's privileges. 

Additionally, the config user is not allowed to run /bin/chgrp to change the group to apache even though it owns the crt and key files.

Cause

The issue was caused by using the 'mv' command rather than the 'cp' command.

Environment

Release : 14.4

Component : IdentitySuite (Identity Suite)

Resolution

Copy the new cert to:

/opt/CA/VirtualAppliance/custom/apache-ssl-certificates

Suggested Naming Convention:
localhost.crt.newcert
localhost.key.newkey

Navigate to:

/opt/CA/VirtualAppliance/custom/apache-ssl-certificates

Backup the old certs:
run ' cp localhost.crt localhost.crt.backup'     (config/config)
run ' cp localhost.key localhost.key.backup'  (config/config)

Update the current certs to the new one:
run ' cp localhost.crt.newcert localhost.crt'    (config/apache)
run ' cp localhost.key.newkey localhost.key' (config/apache)