Using a CA-signed certificate
About this task
To use a Certificate Authority (CA)-signed SSL certificates, follow the process shown below to create a private key, generate a certificate signing request (CSR), and request a certificate:
|
ASE internally validates the authenticity of the imported certificate. |
Steps
-
Create a private key.
/optCDO:/content/authoring/nrc1651605112856.image/pingidentity/ase/bin/cli.sh create_key_pair -u admin -p Warning: create_key_pair will delete any existing key_pair, CSR and self-signed certificate Do you want to proceed [y/n]:y OK, creating new key pair. Creating DH parameter may take around 20 minutes. Please wait Key created in keystore dh param file created at /opt/pingidentity/ase/config/certs/dataplane/dh1024.pem
ASE command-line interface (CLI) is used to create a 2048-bit private key and to store it in the key store.
-
Create a CSR.
/opt/pingidentity/ase/bin/cli.sh create_csr -u admin -p Warning: create_csr will delete any existing CSR and self-signed certificate Do you want to proceed [y/n]:y please provide following info Country Code >US State > Colorado Location >Denver Organization >Pingidentity Organization Unit >Pingintelligence Common Name >ase Generating CSR. Please wait... OK, csr created at /opt/pingidentity/ase/config/certs/dataplane/ase.csr
Result:
ASE takes you through a CLI-based interactive session to create a CSR.
-
Upload the CSR created in step 2 to the CA-signing authority’s website to get a CA-signed certificate.
-
Download the CA-signed certificate from the CA-signing authority’s website.
-
Use the CLI to import the signed CA certificate into ASE. The certificate is imported into the key store.
/opt/pingidentity/ase/bin/cli.sh import_cert <CA signed certificate path> -u admin -p Warning: import_cert will overwrite any existing signed certificate Do you want to proceed [y/n]:y Exporting certificate to API Security Enforcer... OK, signed certificate added to keystore
-
Restart ASE by first stopping and then starting ASE.