Managing your SSL certificate
Topics:
Obtaining a signed certificate
Replacing an expiring certificate
Installing a fully signed certificate from a certificate archive file
When you install Cloud Access Manager, a temporary self-signed certificate is created for the proxy and stored in the database. This section describes how to replace the temporary certificate with a fully signed, trusted certificate.
Obtaining a signed certificate
To obtain a signed certificate you must generate a Certificate Signing Request (CSR) and then install the resulting certificate as described in the following steps.
To generate a certificate signing request
-
Log on to the Administration Console using the fallback login shortcut and navigate to the Settings page, then select Show Advanced Settings.
NOTE: The Settings page is accessed from the gear icon.
-
Click Manage Certificates.
- The Certificates page is displayed.
-
The proxy certificate is displayed at the top of the list of certificates with the alias this-server. After installation the proxy certificate is displayed as Self signed. If you do not already have a signed certificate to use for the proxy you will need to create a certificate signing request and submit it to your Certificate Authority. To do this, click Generate Key Pair and CSR.
- Complete the Fully Qualified Server DNS Name field. This must match the wildcard DNS subdomain created for the Cloud Access Manager Proxy, for example, *.webapps.company.com. For further information, please refer to the Prerequisites section in the One Identity Cloud Access Manager Installation Guide.
- If you want to specify additional information that will be displayed on your certificate, select the Supply Additional Certificate Information check box and complete the fields as required.
- Click Generate.
-
When the certificate has been generated, click Download Certificate or copy and paste the information shown to a file.
When the certificate signing request was generated, the certificate entry in the Certificates Alias list on the Certificates page changed from Self-signed to CSR. At this stage, you can click Download CSR to retrieve the certificate signing request if required.
- You now need to request a wildcard Secure Sockets Layer (SSL) certificate, using the generated certificate signing request, from a Certificate Authority, for example, VERISIGN, Thawte or Go Daddy.
-
When your certificate has been signed, download the complete certificate chain in PKCS#7 format, ensuring that your Certificate Authority's root certificate, any intermediate certificates they may use, and your signed certificate are included in a single PKCS#7 certificate file.
NOTE: If your Certificate Authority does not have a PKCS#7 complete chain option, select the option for a Tomcat Web Server certificate.
-
If you downloaded the signed certificate in PKCS#7 format containing the complete chain, on the Certificates page, click Install CSR Reply.
If you did not download the complete certificate chain in a single PKCS#7 file, you will need to install the Certificate Authority's root certificate and any of its intermediate certificates prior to installing your signed certificate. The Certificate Authority's root certificate and any intermediate certificates are typically included in the download containing your signed certificate.
NOTE: Cloud Access Manager will only support base64 encoded certificates, with the exception of importing a PKCS12 for this-server, both .crt and .cer files can be either PEM encoded (base64) or DER encoded (raw binary file), Cloud Access Manager will only support them if they are PEM encoded.
Depending on your Certificate Authority, you may be given a separate root certificate and an intermediate certificate or a bundle containing both the root and intermediate certificates. To install these, use the Install Trusted CA Certificate option on the Certificates page. When these have been installed, click Install CSR Reply from the Certificates page to install your signed certificate.
-
Click Save. When the certificate has been installed, it is displayed in the Certificates Alias list as signed.
Replacing an expiring certificate
You can create a new certificate signing request before your current certificate expires.
To replace an expiring certificate, from the Certificates page, click Generate Expiry Key Pair and CSR. The procedure for generating the replacement certificate is the same as when you created the original certificate, refer to Obtaining a signed certificate. Your current certificate is only overwritten when the replacement certificate is fully signed.
Installing a fully signed certificate from a certificate archive file
If you already have a signed certificate to use for the proxy, from the Certificates page, click Import PKCS12 / PFX file, and upload the certificate.