RapidIdentity Product Guides - 2019 Rolling Release

SSL Certificates

The steps to import a new certificate can vary from site to site, depending on how the certificate is received and what type of certificate is imported. Java and Windows key stores (.jks and .pfx files) can be directly imported into the appliance. If you do not have a .jks or .pfx file, follow the steps below for normal certificate installation.

  1. Log in to idauto-apps. Click SSL Management in the Management menu at the top.

    Legacy_SSL_Certs_1.png

  2. Click the Create SSL Profile button.

  3. In the pop-up that follows, enter a name for the profile and enter an optional description. Click Create.

  4. A new SSL Profile will be visible in the Manage SSL Profiles menu. Click Generate for the new profile.

    Legacy_SSL_Certs_3-ed.png

  5. Fill out the Certificate Signing request form and click Generate CSR.

    Legacy_SSL_Certs_4.png
    Table 221. Certificate Signing Request Fields

    Field

    Description

    Host Name

    Required field. Fully-qualified domain name of the host server or the *.hostname for wildcard certs

    Note

    Secure with a certificate such as www.google.com, secure.website.org, *.domain.net, etc.

    Org Unit

    Your department (e.g., Information Technology, Website Security)

    Organization

    The full legal name of your organization, including the corporate identifier

    City/Locality

    The locality or city where your organization is legally incorporated. Do not abbreviate

    State/Province

    The state or province where your organization is legally incorporated. Do not abbreviate

    Country Code

    The official two-letter country code (i.e., US, CH) where your organization is legally incorporated



  6. Provide the downloaded CSR to your Certificate Authority to get a new certificate.

  7. Download individual .crt or .pem files for the certificate, any intermediate certificates, and the root certificate.

  8. Import the new certs into the Profile you just created. Note that the Import menu has three tabs for different import file types.

    1. The Import Key and Certs menu allows you to upload each of the certificate files received from the certificate authority.

      Legacy_Import_Menu_1.png
      Table 222. Import Key and Certs Fields

      Field

      Description

      File Type

      Choose the appropriate file type: PEM or DER

      Private Key

      Upload the private key created on the appliance when the CSR was generated

      Note

      This is only needed if you are using a certificate whose CSR was generated on a different server.

      Certificates

      Click Choose File to open a file selection menu. Upload a certificate file received from the authority

      Add Certificate File

      Click this button to add another Choose File option. Click Import when complete

      Note

      This is only needed if the certificate chain contains any intermediates. Each intermediate must be uploaded individually, but can be done in any order.



    2. The Import Keystore menu allows you to import JKS or PKCS12/PFX files.

      Legacy_Import_Menu_2.png
      Table 223. Import Key Store Fields

      Field

      Description

      File Type

      Choose the appropriate file type: JKS or PKCS12/PFX

      KeyStore

      Click Choose File to select the KeyStore file

      Passphrase

      Enter the passphrase used when the KeyStore was created

      Alias

      (Optional) Enter the alias used when the KeyStore was created. Click Import when complete



    3. The Import from Profile menu allows you to import settings into this profile from existing SSL Profiles. This will essentially create a duplicate profile as one of the profiles already configured.

      Legacy_Import_Menu_3.png

      Simply select the radio button next to the desired profile and click Import.

  9. Click Test on the new profile to validate the imported certificates.

    Legacy_SSL_Cert_Test.png

    Note

    The "Test" functionality attempts to open a new tab pointing to the server at a different TCP port which is temporarily set up to use the SSL certificate chain being tested. In order to be able to test, you will need to be able to connect to the RapidIdentity server on the temporary TCP port. This will almost certainly require Firewall rules to be adjusted.

  10. Once the certificate is valid, click the Import button on the live profile (usually default unless it has been changed manually) and import as shown in Step 8c. Note that the "default" is whatever has been defined in the CLI and may not be your native setting.

  11. Click Send Cluster Reload to make this the new active certificate. It may be necessary to completely quit the browser session and re-open it for it to recognize the new SSL certificate.

    Send_Cluster_Reload_-_Final_Step.png
In this section: