cancel
Showing results for 
Search instead for 
Did you mean: 

How to install CA signed root certificate

SOLVED
Go to Solution
Highlighted
Sutha
New Member
0 Kudos

How to install CA signed root certificate

Hello there,

 

I want to install CA signed root certificate chain in Ping Directory 6.2. Can anyone give me the command or doc link?

 

Thanks.

8 REPLIES
UnboundID NeilW
UnboundID
0 Kudos

Re: How to install CA signed root certificate

The basic command is:

 

manage-certificates import-certificate --keystore {path-to-keystore} --keystore-password-file {path-to-keystore-password} --alias {alias} --certificate-file {path-to-certificate-chain}

 

If you have the certificates in multiple files, you can provide the --certificate-file argument multiple times to specify the path to each file. If you do that, then you should provide the certificates in the correct order with the server certificate first and the root certificate last (the tool should enforce this order and report an error if you get it wrong).

 

If you initially created the server with a self-signed certificate, then you can probably use config/keystore as the path to the keystore, config/keystore.pin as the keystore password file. The alias should be the alias for which you generated the certificate signing request.

 

If you didn't generate a certificate signing request but instead have the certificate chain and private key in PEM files, then the command is the same except you would add the --private-key-file argument to specify the path to the file containing the private key.

UnboundID ArnoL
UnboundID
0 Kudos

Re: How to install CA signed root certificate

If you need a link for a convenient referenceable page:

 

https://docs.ping.directory/latest_PingDirectory/cli/index.html

 

manage-certificates is your tool here, as Neil pointed out 

Sutha
New Member
0 Kudos

Re: How to install CA signed root certificate

Thanks to both for your quick response, when i tried the following , i get error...

 

./manage-certificates import-certificate --keystore /ds/binaries/PingDirectory/config/keystore --keystore-password-file /ds/binaries/PingDirectory/config/keystore.pin --keystore-type PKCS12 --alias "CA_Root_Chain" --certificate-file /tmp/CARoot_Cert_Chain.p7b

ERROR:  Unable to decode a DER element read from certificate file '/tmp/CARoot_Cert_Chain.p7b' as an X.509 certificate:  Unable to decode the provided byte

array as an X.509 certificate because the DER sequence contained 2, which is different from the three elements (tbsCertificate, signatureAlgorithm, and signatureValue) that were expected.

UnboundID ArnoL
UnboundID
0 Kudos
Solution

Re: How to install CA signed root certificate

The default key store we use in the Ping Data ** server products is JKS, not PKCS12.

The PKCS#7 encoded file contains a chain, and the first element in the file is a public key, not a private key. with keytool you would specify the trustCAcerts option to indicate that the public keys along the chain should be added to the keystore.

 

Try this first:

./manage-certificates import-certificate \
--keystore /ds/binaries/PingDirectory/config/keystore \
--keystore-password-file /ds/binaries/PingDirectory/config/keystore.pin \
--keystore-type JKS \
--alias "signed-server-cert" \
--certificate-file /tmp/CARoot_Cert_Chain.p7b

Then if that fails, try this:

keytool -import \
    -alias signed-server-cert \
    -trustcacerts \
    -file /tmp/CARoot_Cert_Chain.p7b \
    -keystore/ds/binaries/PingDirectory/config/keystore \
    -storepass $(cat /ds/binaries/PingDirectory/config/keystore.pin ) \
-storetype JKS

 

Sutha
New Member
0 Kudos

Re: How to install CA signed root certificate

Thanks for your help. I think i had a issue with my Root CA format and i generated new Root CA and able to import it using the following command with no issues. 

 

./manage-certificates import-certificate --keystore /ds/binaries/PingDirectory/config/keystore --keystore-password-file /ds/binaries/PingDirectory/config/keystore.pin --keystore-type JKS --alias "CA_Root_Chain" --certificate-file /tmp/CA_Root_Chain.cer

 

thanks

mraybone
New Member
0 Kudos

Re: How to install CA signed root certificate

Hello,

I had the same issue and managed to import my own certificate.  However I don't seem to be able to figure out how to apply it so that it can be used when connecting to the directory server via HTTPS and SCIM.

Cheers,

MRaybone

UnboundID ArnoL
UnboundID
0 Kudos

Re: How to install CA signed root certificate

This would be done by setting the certificate nickname on the HTTPS Connection Handler

 

dsconfig set-connection-handler-prop \
    --handler-name "HTTPS Connection Handler"  \
    --set ssl-cert-nickname:Your-Certificate-Nickname-Here  
UnboundID _-rc-_
UnboundID
0 Kudos

Re: How to install CA signed root certificate

Alternatively the server's default alias name is "server-cert", you could rename your certificate alias to this name with keytool:

$ keytool -list -keystore config/keystore -storepass $(cat config/keystore.pin)
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

my-custom-alias, Jan 18, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): 9E:0B:C9:97:DF:02:AF:1B:2F:A6:8C:2E:DC:B6:E6:CC:AD:8B:45:E7

 

Change to "server-cert"

$ keytool -changealias -keystore config/keystore -storepass $(cat config/keystore.pin) -alias my-custom-alias -destalias server-cert