PingAuthorize

Preparing a new keystore with the replacement key pair

You can replace the self-signed certificate with an existing key pair. As an alternative, you can use the certificate that is associated with the original key pair.

Using an existing key pair

To use an existing key pair, use the manage-certificates tool that is located in the server’s bin or bat directory, depending on your operating system.

About this task

If a private key and certificate already exist in PEM-encoded format, they can replace both the original private key and the self-signed certificate in keystore, instead of replacing the self-signed certificate associated with the original server-generated private key.

Steps

  • Import the existing certificates using the manage-certificates import-certificate.

    Order the certificates that use the --certificate-file option so that each subsequent certificate functions as the issuer for the previous one.

    List the server certificate first, then any intermediate certificates, and then list the root certificate authority (CA) certificate. Because some deployments do not feature an intermediate issuer, you might need to import only the server certificate and a single issuer.

    For example, the following command imports the existing certificates into a new keystore file named keystore.new.

    manage-certificates import-certificate \
  --keystore keystore.new \
  --keystore-type JKS \
  --keystore-password-file keystore.pin \
  --alias server-cert \
  --private-key-file existing.key \
  --certificate-file existing.crt \
  --certificate-file intermediate.crt \
  --certificate-file root-ca.crt

Replacing the certificate associated with the original key pair

Replace the certificate associated with the original server-generated private key (server-cert) if it has expired or must be replaced with a certificate from a different certificate authority (CA).

About this task

Perform the following steps to replace the certificate associated with the original key pair:

Steps

  1. Create a CSR file for the server-cert.

    Example:

    manage-certificates generate-certificate-signing-request \
  --keystore keystore \
  --keystore-type JKS \
  --keystore-password-file keystore.pin \
  --alias server-cert \
  --use-existing-key-pair \
  --subject-dn "CN=ldap.example.com,O=Example Corporation,C=US" \
  --output-file server-cert.csr

  2. Submit server-cert.csr to a CA for signing.

  3. Export the server’s private key into server-cert.key.

    Example:

    manage-certificates export-private-key \
  --keystore keystore \
  --keystore-password-file keystore.pin \
  --alias server-cert \
  --output-file server-cert.key

  4. Import the certificates obtained from the CA, including the CA-signed server certificate, the root CA certificate, and any intermediate certificates, into keystore.new.

    Example:

    manage-certificates import-certificate \
  --keystore keystore.new \
  --keystore-type JKS \
  --keystore-password-file keystore.pin \
  --alias server-cert \
  --private-key-file server-cert.key \
  --certificate-file server-cert.crt \
  --certificate-file intermediate.crt \
  --certificate-file root-ca.crt