ForgeRock Identity Platform
Does not apply to Identity Cloud
How do I renew my existing CA certificate in use by IDM (All versions)?
The purpose of this article is to provide information on renewing an existing Certificate Authority (CA) signed certificate that is currently being used by IDM.
Renewing an existing CA certificate
Renewing an existing CA signed certificate that is in use by IDM and due to expire is effectively the same as requesting and installing a new CA signed certificate; the only difference being there is no need to import the CA root and intermediary certificates into the IDM truststore as they are already present.
To renew an existing CA certificate:
- Generate a new Certificate Signing Request (CSR) via the keytool command: $ keytool -certreq -alias openidm-signed-cert -keystore security/keystore.jceks -storetype JCEKS -file request.csrreplacing openidm-signed-cert with the alias of the existing certificate currently in use by IDM. This can be found as follows depending on your version:
- IDM 6.5 and later: look at the alias specified for the idm.jwt.session.module.encryption secret in the secrets.json file (located in /path/to/idm/conf).
- IDM 6: look at the openidm.https.keystore.cert.alias value in the boot.properties file (located in install-dir/resolver).
- Submit the generated CSR request to your CA.
- Receive the signed certificate back from your CA.
- Shutdown the IDM instance.
- Import the signed certificate provided by your CA into the existing IDM keystore. $ keytool -keystore security/keystore.jceks -storetype JCEKS -import -alias openidm-signed-cert -file signed.crt -trustcacertsreplacing openidm-signed-cert with the alias of the existing certificate currently in use by IDM.
- Restart the IDM instance.
Related Issue Tracker IDs