We also have our own CA and we use the standard pkcs12 format.
First the wasp is a standard tomcat portal server so it supports the standard pkcs12 format keystore automatically.
So after first resetting the wasp keystore so you know the location and password you can then build the new keystore in the desired format.
As we have a private pki and the server is "known" our security service provides 3 files
1. a server cert file,
2. a file containing the intermediate and root certificates and
3. a key file
first we add/append the server cert to the chain file (server cert + chain certs)
then we delete the "old" keystore
now we create a new keystore (in pkcs12 format) and load the full cert chain and the key file with the name/alias wasp using:
openssl pkcs12 -export -in <full_chain_file> -inkey <key_file> -name wasp -out <keystore> -passout pass:<key_password>
finally restart the wasp
when the the cert is about to expire we get sent a new set of files. The update is scripted and security sends a person who enters the password so we never know the password for the key.
This works very well on all the wasps (AC, OC and CABI) and we do the process every 6 months or so, downtime is the time to restart the wasp to force a re-read of the update keystore. Another advantage of doing it this way is we have no CSR requirement, and security manages the password not ops (security cannot access the key file and ops does not know the password to use it).
Regards, Andrew
------------------------------
Knows a little about UIM/DXim, AE, Automic
------------------------------
Original Message:
Sent: 04-22-2021 10:29 PM
From: Narongkij Tejasakulsin
Subject: UIM v20.3.3 - importing CA certificate
I'm also confused with the "high level" instructions from the documentation vs this Article ID: 16748
https://knowledge.broadcom.com/external/article/16748/how-to-configure-umpwasp-to-use-ssl-cert.html
The high level doc does not indicate to include hostname and IP address when using the keytool command.
Original Message:
Sent: 04-22-2021 11:26 AM
From: David MICHEL
Subject: UIM v20.3.3 - importing CA certificate
perhaps:
Failed to load response data when loading CABI site after installing signed cert
Article Id: 186517
https://knowledge.broadcom.com/external/article?articleId=186517
------------------------------
Support Engineer
Broadcom
NY
Original Message:
Sent: 04-22-2021 06:26 AM
From: Narongkij Tejasakulsin
Subject: UIM v20.3.3 - importing CA certificate
Hi All,
I'm trying to enable https and we have our own CA, but when I tried to follow the instructions ( https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/20-3/installing/optional-post-installation-tasks/Configure-HTTPS-in-Admin-Console-or-OC-(Authority-Signed-SSL-Certificate).html#concept.dita_cb13e2ee-2988-4c0f-9401-1f561f2acf68_ModifywasptoUseHTTPS2 ), it doesn't seem to work.
The above link has the "Generate a Public and Private Key Pair" section, which I did, but after importing my .cer file at the "Import the Certificates", the wasp starts but the webpage will not load.
It works with self-signed certificate.
When I do the "keytool -list -keystore wasp.keystore...", it will show the imported certificates, but only the self-signed will show up in the web browser.
Further more, after doing the "keytool -list -keystore wasp.keystore..." command, I'm getting the following error message:
The JKS keystore uses a proprietary format. it is recommended to migrate to pkcs12 which is an industry standard format using "keytool -importkeystore -srckeystore...".
Help greatly appreciated.