Policy Store certificate change in the Policy Server configuration
search cancel

Policy Store certificate change in the Policy Server configuration


Article ID: 244107


Updated On:


CA Single Sign On Agents (SiteMinder)



When running the Policy Server, the Policy Store changed its certificate as it was outdated. How to change the certificate in the Policy Server configuration?




Policy Server 12.8SP6a on RedHat 7;




To add the new certificate in the cert8.db database, the database should be upgraded to cert9.db before as per documentation (1)(2).

Then once upgraded, get the new certificate from the Policy Store, and insert it in the cert9.db.

  1. Take a backup of the folder:
  2. Follow the documentation steps to upgrade cert8.db to cert9.db (2).
    Note that the command will fail if the -upgrade-prefix option is used (3).
  3. Get the mypolicystore.mydomain.com:636 certificate:
    On the Policy Server, run the following command:

    # openssl s_client -connect mypolicystore.mydomain.com:636

    In the output, get the lines from 

     -----BEGIN CERTIFICATE-----



      -----END CERTIFICATE-----

      included, and paste that to a file called


      on the Policy Server machine.
  4. Get the alias of the old certificate:
      # certutil -L -d <installation_directory>/siteminder/myNewCertDB

      and note down the alias name;
  5. Delete the old certificate from its alias:
      # certutil -D -n alias -d <installation_directory>/siteminder/myNewCertDB
  6. Add the new certificate with the same alias as above:
      # certutil -A -n alias -t P -i <installation_directory>/siteminder/newcert.crt -d <installation_directory>/siteminder/myNewCertDB


To create the right certificate database, use the certutil command that comes with the Policy Server, which is in the bin repository:

  [ps.training.com] root :: 13:40:25 : <installation_directory>/siteminder $ mkdir new
[ps.training.com] root :: 13:40:38 : <installation_directory>/siteminder $ ./bin/certutil -N -d new
  Enter a password which will be used to encrypt your keys.
  The password should be at least 8 characters long,
  and should contain at least one non-alphabetic character.

  Enter new password:
  Re-enter password:
  Passwords do not match. Try again.
  Enter new password:
  Re-enter password:
[ps.training.com] root :: 13:41:09 : <installation_directory>/siteminder $ ls new/
  cert9.db  key4.db  pkcs11.txt

[ps.training.com] root :: 13:41:10 : <installation_directory>/siteminder $ Version
  [Version -  Version 12.8.0600.2649]


Additional Information



    Specify a Netscape Certificate Database File

      Up to Release 12.8.05: cert8.db and key3.db files
      From Release 12.8.06: cert9.db and key4.db files


    Requirements for Existing LDAP User Directory Connections Over SSL

      (From Release 12.8.06) To migrate the certificate database file from cert8.db to cert9.db

      After an upgrade to Release 12.8.06, the existing cert8.db and
      key3.db files continue to work in the upgraded environment. However,
      to add new certificates in the cert8.db and key3.db files, the files
      must be first migrated to the cert9.db and key4.db files format that
      is supported from Release 12.8.06.



    certutil --upgrade-merge command not working