Symantec Identity Suite - Virtual Appliance replacing self-signed certs
search cancel

Symantec Identity Suite - Virtual Appliance replacing self-signed certs


Article ID: 93224


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal


We would like to replace the self-signed certificates for Identity Manager on the Virtual Appliance. When replacing the certificate and private key in the suggested folder 


we receive the following error

2018-02-02 19:30:06,222 ERROR [] (MSC service thread 1-7) MSC000001: Fai 
led to start service or 
g.jboss.msc.service.StartException in service JBAS015229: Unable to start service 
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService( [jboss-msc-1.2.2.Final.jar:1.2.2.Final] 
at org.jboss.msc.service.ServiceControllerImpl$ [jboss-msc-1.2.2.Final.jar:1.2.2.Final] 
at java.util.concurrent.ThreadPoolExecutor.runWorker( [rt.jar:1.8.0_71] 
at java.util.concurrent.ThreadPoolExecutor$ [rt.jar:1.8.0_71] 
at [rt.jar:1.8.0_71] 
Caused by: Invalid keystore format 


CA Identity Suite 14.1 CP2 (minimum)


The problem is that the Virtual Appliance is expecting a java keystore instead of a certificate and a private key placed in the location of the OOTB self signed certs.


To resolve this, you need to import the certificate and the private key into a java keystore. Once this is done place this inside the following location /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/ and restart the service. On restart this time you should notice the service will start without error.

The service is looking for a JKS once this is created with the signed cert and the private key you should not experience any issues.

Additional Information

You can reference the below steps for creating and implementing a self-signed certificate for VAPP:

Backing up current certs:
cd /home/config
mkdir certs
cd certs
mkdir orig
mkdir new
cp /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/* /home/config/certs/orig
cp /home/config/certs/orig/caim-srv /home/config/certs/new
cd /home/config/certs/new

Create a self-signed certificate with a password. This sample uses P@ssw0rd

openssl req -x509 -newkey rsa:4096 -keyout myPrivateKey.pem -out myCertificate.crt -days 3650 -nodes
openssl pkcs12 -export -out keyStore.p12 -inkey myPrivateKey.pem -in myCertificate.crt

Run keytool commands copy the newly created self-signed certificate into a keystone:

keytool -list -v -keystore caim-srv -storepass changeit
Look for the alias-name - copy it
keytool -delete -alias <existing alias-name> -keystore caim-srv -storepass changeit
keytool -list -v -keystore caim-srv -storepass changeit -------- File will be empty

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore caim-srv -srckeystore keyStore.p12 -srcstoretype PKCS12 -srcstorepass P@ssw0rd
keytool -list -v -keystore caim-srv -storepass changeit

Finally create the IG and IP certs for all other machines for successful communication between the components:

cp caim-srv caip-srv
cp caim-srv caig-srv
rm /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/*
cp ca* /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates

The application will only be able to be accessed through the below URLS and no longer through the imbedded apache load balancer: