RapidIdentity Product Guides - 2019 Rolling Release

SSL Certificates

The steps to import a new certificate can vary from site to site, depending on how the certificate is received and what type of certificate is imported. Java and Windows key stores (.jks and .pfx files) can be directly imported into the appliance. If you do not have a .jks or .pfx file, follow the steps below for normal certificate installation.

  1. Log in to idauto-apps. Click SSL Management in the Management menu at the top.

  2. Click the Create SSL Profile button.

  3. In the pop-up that follows, enter a name for the profile and enter an optional description. Click Create.

  4. A new SSL Profile will be visible in the Manage SSL Profiles menu. Click Generate for the new profile.

  5. Fill out the Certificate Signing request form and click Generate CSR.

    Table 221. Certificate Signing Request Fields



    Host Name

    Required field. Fully-qualified domain name of the host server or the *.hostname for wildcard certs


    Secure with a certificate such as www.google.com, secure.website.org, *.domain.net, etc.

    Org Unit

    Your department (e.g., Information Technology, Website Security)


    The full legal name of your organization, including the corporate identifier


    The locality or city where your organization is legally incorporated. Do not abbreviate


    The state or province where your organization is legally incorporated. Do not abbreviate

    Country Code

    The official two-letter country code (i.e., US, CH) where your organization is legally incorporated

  6. Provide the downloaded CSR to your Certificate Authority to get a new certificate.

  7. Download individual .crt or .pem files for the certificate, any intermediate certificates, and the root certificate.

  8. Import the new certs into the Profile you just created. Note that the Import menu has three tabs for different import file types.

    1. The Import Key and Certs menu allows you to upload each of the certificate files received from the certificate authority.

      Table 222. Import Key and Certs Fields



      File Type

      Choose the appropriate file type: PEM or DER

      Private Key

      Upload the private key created on the appliance when the CSR was generated


      This is only needed if you are using a certificate whose CSR was generated on a different server.


      Click Choose File to open a file selection menu. Upload a certificate file received from the authority

      Add Certificate File

      Click this button to add another Choose File option. Click Import when complete


      This is only needed if the certificate chain contains any intermediates. Each intermediate must be uploaded individually, but can be done in any order.

    2. The Import Keystore menu allows you to import JKS or PKCS12/PFX files.

      Table 223. Import Key Store Fields



      File Type

      Choose the appropriate file type: JKS or PKCS12/PFX


      Click Choose File to select the KeyStore file


      Enter the passphrase used when the KeyStore was created


      (Optional) Enter the alias used when the KeyStore was created. Click Import when complete

    3. The Import from Profile menu allows you to import settings into this profile from existing SSL Profiles. This will essentially create a duplicate profile as one of the profiles already configured.


      Simply select the radio button next to the desired profile and click Import.

  9. Click Test on the new profile to validate the imported certificates.



    The "Test" functionality attempts to open a new tab pointing to the server at a different TCP port which is temporarily set up to use the SSL certificate chain being tested. In order to be able to test, you will need to be able to connect to the RapidIdentity server on the temporary TCP port. This will almost certainly require Firewall rules to be adjusted.

  10. Once the certificate is valid, click the Import button on the live profile (usually default unless it has been changed manually) and import as shown in Step 8c. Note that the "default" is whatever has been defined in the CLI and may not be your native setting.

  11. Click Send Cluster Reload to make this the new active certificate. It may be necessary to completely quit the browser session and re-open it for it to recognize the new SSL certificate.