--- title: Configuring SSL for external APIs description: API Security Enforcer (ASE) supports both TLS 1.2 and Secure Sockets Layer (SSL) 3 for external application programming interface (API)s. component: pingintelligence version: 5.2 page_id: pingintelligence:pingintelligence_reference_guide:pingintelligence_confguring_ssl_external_apis canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/pingintelligence_reference_guide/pingintelligence_confguring_ssl_external_apis.html revdate: April 24, 2024 section_ids: using-a-ca-signed-certificate: Using a CA-signed certificate about-this-task: About this task steps: Steps example: Example: example-2: Example: example-3: Example: result: Result: using-a-self-signed-certificate: Using a self-signed certificate about-this-task-2: About this task steps-2: Steps example-4: Example: example-5: Example: example-6: Example: using-an-existing-certificate-and-key-pair: Using an existing certificate and key pair about-this-task-3: About this task steps-3: Steps example-7: Example: example-8: Example: --- # Configuring SSL for external APIs API Security Enforcer (ASE) supports both TLS 1.2 and Secure Sockets Layer (SSL) *(tooltip: \
\

A protocol for authenticated and encrypted links between networked machines, typically over HTTPS. SSL was deprecated in 1999 in favor of Transport Layer Security (TLS).\

\
)* 3 for external application programming interface (API) *(tooltip: \
\

A specification of interactions available for building software to access an application or service.\

\
)*s. OpenSSL is bundled with ASE. The following are the version details: * RHEL 7 : OpenSSL 1.0.2k-fips January 26, 2017 * Ubuntu 16LTS : OpenSSL 1.0.2g March 1, 2016 You can configure SSL *(tooltip: \
\

A protocol for authenticated and encrypted links between networked machines, typically over HTTPS. SSL was deprecated in 1999 in favor of Transport Layer Security (TLS).\

\
)* in ASE for client side connection using one of the following methods: * Using a certificate authority (CA)-signed certificate * Using a self-signed certificate * Using an existing certificate The steps provided in this section are for certificate and key generated for connections between the client and ASE as depicted in the following diagram. ![Diagram of SSL/TLS connections](../_images/fjt1564009007147.png) In a cluster setup: 1. Stop all the ASE cluster nodes. 2. Configure the certificate on the management node. 3. Start the cluster nodes one by one for the certificates to synchronize across the nodes. * CA-signed certificate * Self-signed certificate * Existing certificate and key pair ## Using a CA-signed certificate ### About this task To use a CA-signed SSL certificates, follow the process to create a private key, generate a certificate signing request (CSR), and request a certificate as shown in the following diagram. ![Diagram showing CA-signed certificate process](../_images/wrh1564009007993.png) | | | | - | ---------------------------------------------------------------------- | | | ASE internally validates the authenticity of the imported certificate. | To use a CA-signed certificate: ### Steps 1. Create a private key. The ASE command-line interface (CLI) is used to create a 2048-bit private key and to store it in the key store. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh create_key_pair -u admin -p Warning: create_key_pair will delete any existing key_pair, CSR and self-signed certificate Do you want to proceed [y/n]:y Ok, creating new key pair. Creating DH parameter may take around 20 minutes. Please wait Key created in keystore dh param file created at /opt/pingidentity/ase/config/certs/dataplane/dh1024.pem ``` 2. Create a CSR. ASE takes you through a CLI-based interactive session to create a CSR. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh create_csr -u admin -p Warning: create_csr will delete any existing CSR and self-signed certificate Do you want to proceed [y/n]:y please provide following info Country Code >US State > Colorado Location >Denver Organization >Pingidentity Organization Unit >Pingintelligence Common Name >ase Generating CSR. Please wait... OK, csr created at /opt/pingidentity/ase/config/certs/dataplane/ase.csr ``` 3. Upload the CSR that you created in step 2 to the CA signing authority's website to get a CA-signed certificate. 4. Download the CA-signed certificate from the CA signing authority's website. 5. Use the CLI to import the signed CA certificate into ASE. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh import_cert -u admin -p Warning: import_cert will overwrite any existing signed certificate Do you want to proceed [y/n]:y Exporting certificate to API Security Enforcer... OK, signed certificate added to keystore ``` #### Result: The certificate is imported into the key store. 6. Restart ASE. For more information, see [Starting and stopping ASE](pingintelligence_starting_and_stopping_ase.html). ## Using a self-signed certificate ### About this task | | | | - | ----------------------------------------------------------------- | | | A self-signed certificate is also supported for customer testing. | To create a self-signed certificate: ### Steps 1. Create a private key. ASE CLI is used to generate a 2048-bit private key in the `/opt/pingidentity/ase/config/certs/dataplane/dh1024.pem` file. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh create_key_pair -u admin -p Warning: create_key_pair will delete any existing key_pair, CSR and self-signed certificate Do you want to proceed [y/n]:y Ok, creating new key pair. Creating DH parameter may take around 20 minutes. Please wait Key created in keystore dh param file created at /opt/pingidentity/ase/config/certs/dataplane/dh1024.pem ``` 2. Create a CSR file. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh create_csr -u admin -p Warning: create_csr will delete any existing CSR and self-signed certificate Do you want to proceed [y/n]:y please provide following info Country Code >US State >colorado Location >Denver Organization >PI Organization Unit >TEST Common Name >yoursiteabc.com Generating CSR. Please wait... OK, csr created at /opt/pingidentity/ase/config/certs/dataplane/ase.csr ``` 3. Use the CLI to produce a self-signed certificate using the certificate request located in `/pingidentity/ase/config/certs/dataplane/ase.csr`. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh create_self_sign_cert -u admin -p Warning: create_self_sign_cert will delete any existing self-signed certificate Do you want to proceed [y/n]:y Creating new self-signed certificate OK, self-sign certificate created in keystore ``` 4. Restart ASE. For more information, see [Starting and stopping ASE](pingintelligence_starting_and_stopping_ase.html). ## Using an existing certificate and key pair ### About this task | | | | - | ------------------------------------------------------------------------------------------------------ | | | If you have an intermediate certificate from a CA, then append the content to your server `.crt` file. | To install an existing certificate: ### Steps 1. Import the key pair. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh import_key_pair private.key -u admin -p Warning: import_key_pair will overwrite any existing certificates Do you want to proceed [y/n]:y Exporting key to API Security Enforcer... OK, key pair added to keystore ``` 2. Import the `.crt` file in ASE by running the `import_cert` CLI command. #### Example: ``` /opt/pingidentity/ase/bin/cli.sh import_cert server-crt.crt -u admin -p Warning: import_cert will overwrite any existing signed certificate Do you want to proceed [y/n]:y Exporting certificate to API Security Enforcer... OK, signed certificate added to keystore ``` 3. Restart ASE. For more information, see [Starting and stopping ASE](pingintelligence_starting_and_stopping_ase.html).