Using CA-Signed Certificates

You can use existing CA-signed certificates to secure connections and data by importing the certificates into the keystore, and referencing them your boot.properties file. Use the keytool command to import an existing certificate into the keystore.

The following process imports a CA-signed certificate into the keystore, with the alias example-com. Replace this alias with the alias of your certificate:

  1. Stop the server if it is running.

  2. Back up your existing openidm/security/keystore and openidm/security/truststore files.

  3. Use the keytool command to import your existing certificate into the keystore.

    Substitute the following in this command:

    • example-cert.p12 with the name of your certificate file.

    • srcstorepass with the password that you set to open your certificate.

    • example-com with the existing certificate alias.

    • destination keystore password with the password you set for the keystore.

      If you have not changed the default keystore password, it is changeit. In a production environment, you should change the default keystore password. For more information, see "Changing the Default Keystore Password".

    keytool \
    -importkeystore \
    -srckeystore example-cert.p12 \
    -srcstoretype PKCS12 \
    -srcstorepass changeit \
    -srcalias example-com \
    -destkeystore keystore.jceks \
    -deststoretype JCEKS \
    -destalias openidm-localhost
    Importing keystore example-cert.p12 to keystore.jceks...
    Enter destination keystore password: changeit

    The keytool command creates a trusted certificate entry with the specified alias and associates it with the imported certificate. The certificate is imported into the keystore with the alias openidm-localhost. If you want to use a different alias, you must modify your resolver/boot.properties file to reference that alias, as shown in the following step.

    Note

    The certificate entry password must be the same as the IDM keystore password. If the source certificate entry password is different from the target keystore password, use the -destkeypass option with the same value as the -deststorepass option to make the certificate password match the target keystore password. If you do not make these passwords the same, no error is generated when you import the certificate (or when you read the certificate entry in the destination keystore), but IDM will fail to start with the following exception:

    java.security.UnrecoverableKeyException: Given final block not properly padded.
  4. If you specified an alias other than openidm-localhost for the new certificate, change the value of openidm.https.keystore.cert.alias in your resolver/boot.properties file to that alias. For example, if your new certificate alias is example-com, change the boot.properties file as follows:

    openidm.https.keystore.cert.alias=example-com
  5. Restart the server for the new certificate to be taken into account.

Read a different version of :