Issue:
How can I replace the default self-signed Policy Manager certificate with a trusted certificate authority (CA) created certificate?
Resolution:
Assume that you have:
- The signed or maybe self-signed certificate (with full chain of intermediate CA) and private key for it inside PKCS12 Keystore.
- It is protected with password "srcpassword"
- Your certificate and the private key are referenced by name (alias) "server".
- The Keystore file is "server.p12" and it is located in the same directory as "fspms.jks".
Steps to replace the default Policy Manager certificate:
- Launch an elevated command prompt
- Go to the directory where "fspms.jks" is located by typing the following command:
- Policy Manager 15.x: "C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool" -importkeystore -destkeystore fspms.jks -deststorepass superPASSWORD -destalias fspms -destkeypass superPASSWORD -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass srcpassword -srcalias server
- Policy Manager 16.x: "C:\Program Files\WithSecure\Policy Manager\jre\bin\keytool" -importkeystore -destkeystore fspms.jks -deststorepass superPASSWORD -destalias fspms -destkeypass superPASSWORD -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass srcpassword -srcalias server
- You are replacing the certificate in "fspms.jks" so the following message will appear:
- Existing entry alias server exists, overwrite? [no]:
- Type "yes" and hit enter.
- Restart the Policy Manager server to start using the new certificate. Use a Command Prompt to run the commands:
- Policy Manager 15: net stop fsms and net start fsms
- Policy Manager 16: net stop wspms and net start wspms
NOTE: When you execute the importkeystore command pay attention to "-destkeypass", it should be the same as "-deststorepass". If you forget to insert proper "-destkeypass", the command can complete successfully but problems on Policy Manager server startup may occur.
Article no: 000021509