PingIntelligence

Creating a new SSL certificate

You can secure an ASE cluster using a new SSL certificate. To achieve this, you can either use a self-signed certificate or use a Certificate Authority (CA) signed SSL certificate.

Self-signed certificate

Flowchart for creating self-signed certificates

Complete the following steps to create a self-signed certificate:

  1. Create a cluster key pair using the following CLI command. The Private key in the pair is automatically created and updated in the keystore in <pi_install_path>/pingidentity/ase/config/certs/ directory.

    create_cluster_key_pair [--yes | -y]
    create private key for cluster server
    --yes | -y : create private key without confirmation prompt

    For example, the following command creates dh1024.pem in /opt/pingidentity/ase/config/certs/cluster/ directory.

    $ pingidentity/ase/bin/cli.sh -u admin -p admin create_cluster_key_pair
    Warning: create_cluster_key_pair will delete any existing cluster key_pair, CSR and self-signed certificate
    Do you want to proceed [y/n]:y
    Ok, creating new cluster key pair. Creating DH parameter may take around 20 minutes. Please wait
    Cluster key created at keystore
    Cluster dh param file created at /opt/pingidentity/ase/config/certs/cluster/dh1024.pem
  2. Generate a Certificate Signing Request (CSR) from the private key using the following CLI command. This .csr file gets saved in <pi_install_path>/pingidentity/ase/config/certs/cluster/ directory.

    create_cluster_csr [--yes | -y]
    create certificate signing request for cluster server
    --yes | -y : create certificate signing request without confirmation prompt

    For example, the following command creates a .csr file under/opt/pingidentity/ase/config/certs/cluster/directory.

    $ pingidentity/ase/bin/cli.sh -u admin -p admin create_cluster_csr
    Warning: create_cluster_csr will delete any existing cluster CSR and self signed certificate
    Do you want to proceed [y/n]:y
    please provide following info
    Country Code >OP
    State >GP
    Location >IP
    Organization >KP
    Organization Unit >Kpase
    Common Name >www.123.com
    Generating CSR. Please wait...
    OK, cluster csr created at /opt/pingidentity/ase/config/certs/cluster/cluster.csr
  3. Run the following CLI command to generate a self-signed certificate. The certificate is automatically created in the keystore in <pi_install_path>/pingidentity/ase/config/certs/ directory .

    create_cluster_self_sign_cert [--yes | -y]
    --yes | -y : create self signed certificate without confirmation prompt

    For example, the following command creates a self-signed certificate in the key store.

    $ pingidentity/ase/bin/cli.sh -u admin -p admin create_cluster_self_sign_cert
    Warning: create_cluster_self_sign_cert will delete any existing cluster self signed certificate
    Do you want to proceed [y/n]:y
    Creating new cluster self signed certificate
    OK, self sign certificate created in key store
  4. Restart the ASE cluster for synchronizing the key and certificate. To restart the ASE cluster, follow the instructions explained in Restart ASE cluster.

Obtain a CA-signed certificate

Flowchart to obtain a CA-signed certificate for ASE cluster

Complete the following steps to obtain Certificate Authority (CA) signed SSL certificates:

  1. Create a cluster key pair using the following CLI command. The Private key in the pair is automatically created and updated in the keystore in <pi_install_path>/pingidentity/ase/config/certs/ directory.

    create_cluster_key_pair [--yes | -y]
    create private key for cluster server
    --yes | -y : create private key without confirmation prompt

    For example, the following command creates a key in the /opt/pingidentity/ase/config/certs/cluster/ directory.

    $ pingidentity/ase/bin/cli.sh -u admin -p admin create_cluster_key_pair
    Warning: create_cluster_key_pair will delete any existing cluster key_pair, CSR and self-signed certificate
    Do you want to proceed [y/n]:y
    Ok, creating new cluster key pair. Creating DH parameter may take around 20 minutes. Please wait
    Cluster key created at keystore
    Cluster dh param file created at /opt/pingidentity/ase/config/certs/cluster/dh1024.pem
  2. Generate a Certificate Signing Request (CSR) from the private key using the following CLI command. This .csr file gets saved in <pi_install_path>/pingidentity/ase/config/certs/cluster/ directory.

    create_cluster_csr [--yes | -y]
    create certificate signing request for cluster server
    --yes | -y : create certificate signing request without confirmation prompt

    For example, the following command creates a .csr file under/opt/pingidentity/ase/config/certs/cluster/directory.

    $ pingidentity/ase/bin/cli.sh -u admin -p admin create_cluster_csr
    Warning: create_cluster_csr will delete any existing cluster CSR and self signed certificate
    Do you want to proceed [y/n]:y
    please provide following info
    Country Code >OP
    State >GP
    Location >IP
    Organization >KP
    Organization Unit >Kpase
    Common Name >www.123.com
    Generating CSR. Please wait...
    OK, cluster csr created at /opt/pingidentity/ase/config/certs/cluster/cluster.csr
  3. Upload the CSR created in step 2 to the CA-signing authority’s website to get a CA-signed certificate.

  4. Download the CA-signed certificate from the CA-signing authority’s website.

  5. Use the following CLI command to import the signed CA-certificate into ASE cluster. The certificate is imported into the keystore in <pi_install_path>/pingidentity/ase/config/certs/ directory .

    import_cluster_cert {cert_path} [--yes | -y]
    import CA signed certificate for cluster server
    --yes | -y : import CA signed certificate without confirmation prompt

    For example,

    ./cli.sh -uadmin -padmin import_cluster_key_pair /home/ec2-user/cert_folder/signed_cert/test.elasticbeam.com.key
    Warning: import_cluster_key_pair will overwrite any existing cluster certificates
    Do you want to proceed [y/n]:y
    Exporting cluster key to API Security Enforcer...
    OK, key pair added to keystore
    2:43
    [ec2-user@rhel76-cluster-nodes-6-12 bin]$ ./cli.sh -uadmin -padmin import_cluster_cert /home/ec2-user/cert_folder/signed_cert/test.elastic.crt
    Warning: import_cluster_cert will overwrite any existing cluster signed certificate
    Do you want to proceed [y/n]:y
    Exporting cluster certificate to API Security Enforcer...
    OK, signed certificate added to keystore
  6. Restart the ASE cluster for synchronizing the key and certificate. To restart the ASE cluster, follow the instructions explained in Restart ASE cluster.