Importing existing CA-signed certificates - PingIntelligence for APIs

Importing existing CA-signed certificates - PingIntelligence for APIs - 5.2

PingIntelligence

bundle

pingintelligence-52

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 5.2 (Latest)

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-52

pingintelligence

private

ContentType_ce

Import existing CA-signed certificates.

To import the certificate authority (CA)-signed certificate, stop the API Publish Service if it is already running.

You can import your existing CA-signed certificate in the API Publish Service. Complete the following steps to import the CA-signed certificate.

Note:

The API Publish Service is shipped with a default self-signed certificate with the Java key store at /config/ssl/apipublish.jks. The default password is set in the apipublish.properties file. The default password is obfuscated in the file. It is recommended to change the default passwords and obfuscate the new passwords. See Obfuscating passwords for steps to obfuscate passwords.

Export your CA-signed certificate to the PKCS12 store by entering the following command:

# openssl pkcs12 -export -in <your_CA_cerficate.crt> -inkey <your_certificate_key.key> -out abs.p12 -name <alias_name>

# openssl pkcs12 -export -in ping.crt -inkey ping.key -out abs.p12 -name exampleCAcertificate
Enter Export Password:
Verifying - Enter Export Password:

Note:

If you have an intermediate certificate from a CA, then append the content to the <your_CA_certificate>.crt file.

Import the certificate and key from the PKCS12 store to the Java key store by entering the command below.

# keytool -importkeystore -destkeystore apipublish.jks -srckeystore abs.p12 -srcstoretype PKCS12 -alias <alias_name> -storetype jks

The command requires the destination key store password. The destination key store password entered in the command should be same that is configured in the apipublish.properties file.

The following is a snippet of the apipublish.properties file where the destination key store password is stored. The password is obfuscated.

# Java Keystore password
jks_password=OBF:AES:Q3vcrnj7VZILTPdJnxkOsyimHRvGDQ==:daYWJ5QgzxZJAnTkuRlFpreM1rsz3FFCulhAUKj7ww4=

# keytool -importkeystore -destkeystore apipublish.jks -srckeystore abs.p12 -srcstoretype PKCS12 -alias exampleCAcertificate -storetype jks
Importing keystore apipublish.p12 to abs.jks...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:

Copy the apipublish.jks file created in step 2 to /config/ssl directory.
Start the API Publish Service by running the following command:
```
# ./bin/start.sh
```