Use Case:

ConnectALL is setup to use PingFederate SSO and setup is working fine.
Now server certificate has expired and needs to be renewed on PingFederate side. Below article covers the steps to be followed to make ConnectALL SSO work with new server certificate.

ConnectALL 3.x

• Generate the server certificate/certificate_chain from certification authority to updated on PingFederate side. You can use certificate generated in next step as well.
• Generate the certificate in PFX format(servercert.pfx) from certificate authority. It will have a certificate password associated with it.
• Extracting the Certificate from the pfx file which needs to be switched by SSO on the team on their side. 

openssl pkcs12 -in /<location>/servercert.pfx -clcerts -nokeys -out onlycert.crt
Enter Import Password: Enter the PFX cert password

• Extracting the Key file from the pfx file

openssl pkcs12 -in /<location>/servercert.pfx -nocerts -nodes -out onlykey.key
Enter Import Password: Enter the PFX cert password

• Extracting the Chain of certificates from the pfx file

openssl pkcs12 -in /<location>/servercert.pfx -nocerts -nokeys -nodes -out Certificate_Chain.crt
Enter Import Password: Enter the PFX cert password

So now you have-

1. 1. A private key :  onlykey.key
   2. A certificate belonging to the private key : onlycert.crt
   3. The certificate of the authority that issued the certificate :Certificate_Chain.crt

• The first step is to combine the private key and the certificate into a PKCS12 keystore which will be used in the second step. This is required because Java's keytool utility does not allow you to import a private key and certificate from individual files. To do this, run the command below-

openssl pkcs12 -export -in onlycert.crt -inkey onlykey.key -CAfile Certificate_Chain.crt -caname root -name <alias> -out SSO_Keystore.jks
Enter Export Password: <enter password you need>
Verifying - Enter Export Password: <enter password you need>

Make sure the value of <alias> matches with value for property saml.keystore.default.certkey in ..UI/tomcat/conf/ConnectAll/saml//samlConfiguration.properties and the password you enter to run this command should match with value for property saml.keystore.privatekey.passwords

When you execute the command you'll be asked for a password(<enter password you need>) for the PKCS12 keystore. You can choose one, but for the sake of simplicity changeit is a good option, since it is the default password that Tomcat expects. Once the command has completed executing, verify that keystorefile now exists.

• Merge the Tomcat keystore and the PKCS12 keystore to import the certificate and private key
  You will now need to merge the Tomcat keystore and PCS12 keystore, which imports the certificate and private key into Tomcat's keystore. To do that, run the following command-
  

keytool -importkeystore -deststorepass <enter password you need> -destkeypass <enter password you need> -destkeystore samlKeystore.jks -srckeystore SSO_Keystore.jks -srcstoretype PKCS12 -srcstorepass changeit -alias <alias>
Importing keystore SSO_Keystore.jks to samlKeystore.jks...

• The next steps is stop ConnectAll UI Service and replace the samlKeystore.jks with updated certificate in ../ConnectALL/UI/tomcat/conf/ConnectAll/saml/security/ location
• Have the certificate switched at PingFederate side.
• Restart the ConnectALL UI Service to verify the changes.