---
title: Securing an ASE cluster
description: You can secure an API Security Enforcer (ASE) cluster using a new SSL certificate.
component: pingintelligence
version: 5.2
page_id: pingintelligence:pingintelligence_reference_guide:pingintelligence_securing_ase_cluster
canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/pingintelligence_reference_guide/pingintelligence_securing_ase_cluster.html
revdate: May 6, 2024
section_ids:
  creating-a-self-signed-certificate: Creating a self-signed certificate
  about-this-task: About this task
  steps: Steps
  example: Example:
  example-2: Example:
  result: Result:
  example-3: Example:
  creating-a-ca-signed-certificate: Creating a CA-signed certificate
  about-this-task-2: About this task
  steps-2: Steps
  example-4: Example:
  example-5: Example:
  example-6: Example:
---

# Securing an ASE cluster

You can secure an API Security Enforcer (ASE) cluster using a new SSL certificate.

To achieve this, you can either use a self-signed certificate or a certificate authority (CA)-signed SSL certificate:

* Self-signed certificate

* CA-signed certificate

## Creating a self-signed certificate

### About this task

![Flowchart summarizing the steps for a creating self-signed certificate](../_images/rbu1608192067249.png)

To create a self-signed certificate:

### Steps

1. Create a cluster key pair by running the following command-line interface (CLI) command:

   ```
   create_cluster_key_pair [--yes | -y]
   create private key for cluster server
   --yes | -y : create private key without confirmation prompt
   ```

   |   |                                                                                                                                                   |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | The Private key in the pair is automatically created and updated in the keystore in `<pi_install_path>/pingidentity/ase/config/certs/` directory. |

   #### Example:

   The following command creates `dh1024.pem` in the `/opt/pingidentity/ase/config/certs/cluster/` directory:

   ```shell
   $ pingidentity/ase/bin/cli.sh -u admin -p admin create_cluster_key_pair
   Warning: create_cluster_key_pair will delete any existing cluster key_pair, CSR and self-signed certificate
   Do you want to proceed [y/n]:y
   Ok, creating new cluster key pair. Creating DH parameter may take around 20 minutes. Please wait
   Cluster key created at keystore
   Cluster dh param file created at /opt/pingidentity/ase/config/certs/cluster/dh1024.pem
   ```

2. Generate a certificate signing request (CSR) from the private key running the following CLI command:

   ```
   create_cluster_csr [--yes | -y]
   create certificate signing request for cluster server
   --yes | -y : create certificate signing request without confirmation prompt
   ```

   #### Example:

   The following command creates a `.csr` file in the `/opt/pingidentity/ase/config/certs/cluster/`directory:

   ```shell
   $ pingidentity/ase/bin/cli.sh -u admin -p admin create_cluster_csr
   Warning: create_cluster_csr will delete any existing cluster CSR and self signed certificate
   Do you want to proceed [y/n]:y
   please provide following info
   Country Code >OP
   State >GP
   Location >IP
   Organization >KP
   Organization Unit >Kpase
   Common Name >www.123.com
   Generating CSR. Please wait...
   OK, cluster csr created at /opt/pingidentity/ase/config/certs/cluster/cluster.csr
   ```

   #### Result:

   This `.csr` file is saved in the `<pi_install_path>/pingidentity/ase/config/certs/cluster/` directory.

3. Generate a self-signed certificate by running the following command:

   ```
   create_cluster_self_sign_cert [--yes | -y]
   --yes | -y : create self signed certificate without confirmation prompt
   ```

   #### Example:

   The following command creates a self-signed certificate in the key store:

   ```shell
   $ pingidentity/ase/bin/cli.sh -u admin -p admin create_cluster_self_sign_cert
   Warning: create_cluster_self_sign_cert will delete any existing cluster self signed certificate
   Do you want to proceed [y/n]:y
   Creating new cluster self signed certificate
   OK, self sign certificate created in key store
   ```

   |   |                                                                                                                                |
   | - | ------------------------------------------------------------------------------------------------------------------------------ |
   |   | The certificate is automatically created in the key store in the `<pi_install_path>/pingidentity/ase/config/certs/` directory. |

4. Restart the ASE cluster for synchronizing the key and certificate.

   |   |                                                                                                                             |
   | - | --------------------------------------------------------------------------------------------------------------------------- |
   |   | For more information, follow the instructions in [Restarting an ASE cluster](pingintelligence_restarting_ase_cluster.html). |

## Creating a CA-signed certificate

### About this task

![Flowchart summarizing the steps to creating a CA-signed certificate for an ASE cluster](../_images/jtr1608192226972.png)

To create a CA-signed SSL certificate:

### Steps

1. Create a cluster key pair by running the following CLI command:

   ```
   create_cluster_key_pair [--yes | -y]
   create private key for cluster server
   --yes | -y : create private key without confirmation prompt
   ```

   #### Example:

   The following command creates a key in the `/opt/pingidentity/ase/config/certs/cluster/` directory:

   ```shell
   $ pingidentity/ase/bin/cli.sh -u admin -p admin create_cluster_key_pair
   Warning: create_cluster_key_pair will delete any existing cluster key_pair, CSR and self-signed certificate
   Do you want to proceed [y/n]:y
   Ok, creating new cluster key pair. Creating DH parameter may take around 20 minutes. Please wait
   Cluster key created at keystore
   Cluster dh param file created at /opt/pingidentity/ase/config/certs/cluster/dh1024.pem
   ```

   |   |                                                                                                                                                        |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
   |   | The private key in the pair is automatically created and updated in the key store in the `<pi_install_path>/pingidentity/ase/config/certs/` directory. |

2. Generate a certificate signing request (CSR) from the private key using the following CLI command:

   ```
   create_cluster_csr [--yes | -y]
   create certificate signing request for cluster server
   --yes | -y : create certificate signing request without confirmation prompt
   ```

   |   |                                                                                                          |
   | - | -------------------------------------------------------------------------------------------------------- |
   |   | This `.csr` file gets saved in the `<pi_install_path>/pingidentity/ase/config/certs/cluster/` directory. |

   #### Example:

   The following command creates a `.csr` file in the `/opt/pingidentity/ase/config/certs/cluster/` directory:

   ```shell
   $ pingidentity/ase/bin/cli.sh -u admin -p admin create_cluster_csr
   Warning: create_cluster_csr will delete any existing cluster CSR and self signed certificate
   Do you want to proceed [y/n]:y
   please provide following info
   Country Code >OP
   State >GP
   Location >IP
   Organization >KP
   Organization Unit >Kpase
   Common Name >www.123.com
   Generating CSR. Please wait...
   OK, cluster csr created at /opt/pingidentity/ase/config/certs/cluster/cluster.csr
   ```

3. Upload the CSR created in step 2 to the CA-signing authority's website to get a CA-signed certificate.

4. Download the CA-signed certificate from the CA-signing authority's website.

5. Import the signed CA-certificate into ASE cluster by running the following CLI command:

   ```
   import_cluster_cert {cert_path} [--yes | -y]
   import CA signed certificate for cluster server
   --yes | -y : import CA signed certificate without confirmation prompt
   ```

   |   |                                                                                                                     |
   | - | ------------------------------------------------------------------------------------------------------------------- |
   |   | The certificate is imported into the key store in the `<pi_install_path>/pingidentity/ase/config/certs/` directory. |

   #### Example:

   ```
   ./cli.sh -uadmin -padmin import_cluster_key_pair /home/ec2-user/cert_folder/signed_cert/test.elasticbeam.com.key
   Warning: import_cluster_key_pair will overwrite any existing cluster certificates
   Do you want to proceed [y/n]:y
   Exporting cluster key to API Security Enforcer...
   OK, key pair added to keystore
   2:43
   [ec2-user@rhel76-cluster-nodes-6-12 bin]$ ./cli.sh -uadmin -padmin import_cluster_cert /home/ec2-user/cert_folder/signed_cert/test.elastic.crt
   Warning: import_cluster_cert will overwrite any existing cluster signed certificate
   Do you want to proceed [y/n]:y
   Exporting cluster certificate to API Security Enforcer...
   OK, signed certificate added to keystore
   ```

6. Synchronizing the key and certificate by restarting the ASE cluster.

   |   |                                                                                                                             |
   | - | --------------------------------------------------------------------------------------------------------------------------- |
   |   | For more information, follow the instructions in [Restarting an ASE cluster](pingintelligence_restarting_ase_cluster.html). |