How To

How do I configure OpenIDM 4.x to use my existing CA signed certificate?

Last updated Apr 12, 2021

The purpose of this article is to provide information on how to import and configure an existing signed certificate, private key and CA certificate chain within OpenIDM.


This article has been archived and is no longer maintained by ForgeRock.


In order to import an existing signed certificate into the OpenIDM keystore, the following are required:

  • CA signed certificate.
  • Private key associated with the Certificate Signing Request (CSR) used to request the signed certificate.
  • Intermediary and root certificates from the Certificate Authority.

All of the above are expected to be in .PEM format. If there are multiple intermediary CA certificates they can be concatenated with the root certificate into a single .PEM file.

You can import an existing signed certificate as follows:

Importing an existing CA signed certificate (OpenIDM 4.x)


In a clustered configuration, the following procedure should be performed on the 'clustered-first' node. The 'clustered-additional' nodes within the environment must be restarted in order for the new certificate to take effect.

To replace the out-of-the-box OpenIDM self-signed certificate with an existing signed certificate:​

  1. Shut down the OpenIDM instance.
  2. Back up the existing security/keystore and security/truststore files.
  3. Delete the openidm-localhost certificate from both the existing keystore and truststore files using the keytool command: $ keytool -delete -alias openidm-localhost -keystore security/keystore.jceks -storetype JCEKS $ keytool -delete -alias openidm-localhost -keystore security/truststore
  4. Generate a new PKCS12 keystore using the existing CA signed certificate, private key and CA certificate chain: $ openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile chain.pem -name openidm-signed-cert -out cert.pkcs12 You will be prompted for a password when generating the new PKCS12 keystore file; you must enter the existing OpenIDM keystore password.
  5. Import the PKCS12 keystore generated in step 4 into the existing OpenIDM keystore using the keytool command: $ keytool -importkeystore -srckeystore cert.pkcs12 -srcstoretype pkcs12 -destkeystore security/keystore.jceks -storetype JCEKS $ keytool -import -file cert.pem -keystore security/truststore -alias openidm-signed-cert
  6. Edit the file (located in /path/to/openidm/conf/boot) and set the openidm.https.keystore.cert.alias as follows: openidm.https.keystore.cert.alias=openidm-signed-cert
  7. Restart the OpenIDM instance.

See Also

How do I renew my existing CA certificate in use by IDM (All versions)?

How do I change the symmetric key in IDM 6?

How do I change the default keystore password in OpenIDM 4.x?

Integrator's Guide › Securing & Hardening Servers

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.