Import existing CA-signed certificates
You can import your existing certificate authority certificate authority (CA) signed certificate in API Behavioral Security (ABS).
Before you begin
Stop ABS if it is already running to import the CA-signed certificate.
About this task
To import the CA-signed certificate:
Steps
-
Export your CA-signed certificate to the PKCS12 store by entering the following command:
# openssl pkcs12 -export -in <your_CA_cerficate>.crt -inkey <your_certificate_key>.key -out abs.p12 -name <alias_name>
Example:
# openssl pkcs12 -export -in ping.crt -inkey ping.key -out abs.p12 -name exampleCAcertificate Enter Export Password: Verifying - Enter Export Password:
If you have an intermediate certificate from the CA, then append the content to the
<your_CA_certificate>.crtfile. -
Import the certificate and key from the PKCS12 store to Java KeyStore (JKS) by entering the following command:
# keytool -importkeystore -destkeystore abs.jks -srckeystore abs.p12 -srcstoretype PKCS12 -alias <alias_name>-storetype jks
Example:
# keytool -importkeystore -destkeystore abs.jks -srckeystore abs.p12 -srcstoretype PKCS12 -alias exampleCAcertificate -storetype jks Importing keystore abs.p12 to abs.jks... Enter destination keystore password: Re-enter new password: Enter source keystore password:
The command requires the destination keystore password. The destination keystore password entered in the command should be the same as configured in the abs.properties file.
Example:
Here is a snippet of the
abs.propertiesfile where the destination keystore password is stored. The password is obfuscated.# Java Keystore password jks_password=OBF:AES:Q3vcrnj7VZILTPdJnxkOsyimHRvGDQ==:daYWJ5QgzxZJAnTkuRlFpreM1rsz3FFCulhAUKj7ww4=
-
Copy the
abs.jksfile that you created in step 2 to the/opt/pingidentity/abs/config/ssldirectory. -
Start ABS by entering the following command:
# /opt/pingidentity/abs/bin/start.sh Starting API Behavioral Security 4.0... please see /opt/pingidentity/abs/logs/abs/abs.log for more details