How to add an issued certificate to the JBOSS SSL keystore

book

Article ID: 35702

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

Many users want/need to replace the default SSL certificate located in the JBOSS keystore for numerous reasons/restrictions in their environment. This task can become very difficult with certain options not being used or following the correct process. This can result in a multitude of errors and a process longer than it should.

Environment

Privileged Identity Manager 12.9

Resolution

1.     Create a new ssl.keystore with the alias of entm in it.
# keytool -genkey -alias entm -keyalg RSA -keystore ssl.keystore -storepass SSLKEYSTORE_PASSWORD -dname  
"CN=user,OU=my_org_unit,o=my_org,L=AA,ST=my_state,C=my_country"

2.     Generate a certificate request
# keytool -certreq -keyalg RSA -alias entm -keystore ssl.keystore -file CERT_REQUEST_FILENAME.csr

3.     Send the CRS to the Certificate team and once it’s back, import the root CA first
# keytool -import -keystore ssl.keystore -alias rootCA -file ROOT_CA_CERT_FILENAME.cer

4.     Then the intermediate if there is one
# keytool -import -keystore server.keystore -alias intermediateCA -file INTERMEDIATE_CA_CERT_FILENAME.cer

5.     Then the machine certificate
# keytool -import -alias entm -keystore ssl.keystore -file MACHINE_CERT_FILENAME.cer

6.     Start jboss

Additional Information

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-identity-manager/12-9-01/implementing/communication-encryption/how-to-replace-the-default-ssl-certificates.html

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-identity-manager/12-9-01/implementing/communication-encryption/how-to-configure-certificate-based-authentication.html