Issue:
How can I replace the default self-signed Policy Manager Linux certificate with trusted CA created certificate?
Resolution:
The Policy Manager for Linux keystore is located inside "/var/opt/f-secure/fspms/data/fspms.jks" (version 12.30 and higher) or "/opt/f-secure/fspms/config/fspms.jks" for previous Policy Manager versions.
You can use the following command to query details about certificates stored in fspms.jks:
- /opt/f-secure/fspms/jre/bin/keytool -list -v -keystore fspms.jks -storepass superPASSWORD
- You should see the following output:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: fspms
Creation date: 20.09.2010
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=f-secure.com, OU=f-secure.com, O=f-secure.com, C=EN
Issuer: CN=f-secure.com, OU=f-secure.com, O=f-secure.com, C=EN
Serial number: 4c977fcc
Valid from: Mon Sep 20 18:37:48 EEST 2010 until: Wed Aug 27 18:37:48 EEST 2110
Certificate fingerprints:
MD5: 00:2D:4E:23:3A:9C:68:22:CD:CE:72:43:2B:CC:98:00
SHA1: 7C:F7:E1:2D:2E:6C:0A:86:66:53:E2:C7:59:2C:F2:9E:89:B6:4F:BD
SHA256: 02:87:BD:AF:BB:2B:F2:BB:13:A5:96:A8:F1:5D:DC:5C:67:AB:77:68:AF:36:85:1F:F2:F7:DE:29:88:AD:DF:D1
Signature algorithm name: SHA1withDSA
Version: 3
You can follow the steps below to replace the default self-signed Policy Manager Linux certificate:
Assume that you have:
- The signed or maybe self-signed certificate (with full chain of intermediate CA) and private key for it inside PKCS12 keystore.
- It is protected with password " srcpassword "
- Your certificate and the private key are referenced by name (alias) " server ".
- The keystore file is " server.p12 " and it is located in the same directory as " fspms.jks ".
NOTE: When you execute importkeystore command pay attention to "-destkeypass", it should be same as "-deststorepass". If you forget to insert proper "-destkeypass" command can complete successfully but problems on Policy Manager server startup may occur.
- Type the following command:
- /opt/f-secure/fspms/jre/bin/keytool -importkeystore -destkeystore fspms.jks -deststorepass superPASSWORD -destalias fspms -destkeypass superPASSWORD -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass srcpassword -srcalias server
- You are replacing certificate in "fspms.jks" so following message will appear:
- Existing entry alias server exists, overwrite? [no]:
- Type "yes" and hit enter
- Type the following command to restart the Policy Manager server to start using the new certificate:
- /etc/init.d/fspms restart
Article no: 000004509