If a web server sends an incomplete certificate chain the client browser or other consumer needs to perform extra downloads to retrieve the missing certificates to validate the trust chain; desktop browsers do this reliably but mobile browsers or federated service providers may fail, or not even try, depending on their implementation.
You will also need to have access to the proxy server's file system.
Note: This has to be done for a proxy that has a certificate individually. One can not be copied to another.
keytool -v -importkeystore -srckeystore cacerts -srcalias this-server -destkeystore thisserver.p12 -deststoretype PKCS12
The location of the cacerts keystore is "C:\Program Files\Dell\Cloud Access Manager Proxy\j2sdk\jre\lib\security\cacerts"
2 - Convert the PKCS12 to PEM format - keeping the private key intact:
Before adding the required Certificate Authority root and/or intermediate certificate(s) to the chain it may be necessary to convert them to PEM format – only perform this step if the certificates are NOT already in PEM format (e.g. you have a CRT or CERT file) or you will corrupt your chain:
openssl x509 -in trusted_ca.cer -inform DER -out trusted_ca.pem
3 - Concatenate the PEM files into a single file on the command line:
4 - Create the PKCS12 keystore (in this example the private key is already contained in the PEM so there is no need to use the -inkey option but if your private key is separate then add '-inkey filename.key' to this command):
This keystore can now be uploaded to Cloud Access Manager using the ‘Import PKCS12/PFX file’ option on the Manage Certificates page of Settings in the Admin UI. The updated certificate will replace your existing certificate if one is already installed.