You can import your existing CA-signed certificate in ABS. To import the CA-signed certificate, stop ABS if it is already running. Complete the following steps to import the CA-signed certificate:

  1. Export your CA-signed certificate to the PKCS12 store by entering the following command:
    # openssl pkcs12 -export -in <your_CA_cerficate.crt> -inkey <your_certificate_key.key> -out abs.p12 -name <alias_name>

    For example:

    # openssl pkcs12 -export -in ping.crt -inkey ping.key -out abs.p12 -name exampleCAcertificate
    Enter Export Password:
    Verifying - Enter Export Password:
    Note: If you have an intermediate certificate from CA, then append the content to <your_CA_certificate.crt> file.
  2. Import the certificate and key from the PKCS12 store to Java Keystore by entering the following command. The command requires the destination keystore password. The destination keystore password entered in the command should be same as configured in the abs.properties file.

    Here is a snippet of the abs.properties file where the destination keystore password is stored. The password is obfuscated.

    # Java Keystore password
    jks_password=OBF:AES:Q3vcrnj7VZILTPdJnxkOsyimHRvGDQ==:daYWJ5QgzxZJAnTkuRlFpreM1rsz3FFCulhAUKj7ww4=

    Enter the following command:

    # keytool -importkeystore -destkeystore abs.jks -srckeystore abs.p12 -srcstoretype PKCS12 -alias <alias_name>  -storetype jks
    For example:
    # keytool -importkeystore -destkeystore abs.jks -srckeystore abs.p12 -srcstoretype PKCS12 -alias exampleCAcertificate  -storetype jks
    Importing keystore abs.p12 to abs.jks...
    Enter destination keystore password:
    Re-enter new password:
    Enter source keystore password:
  3. Copy the abs.jks file created in step 2 to /opt/pingidentity/abs/config/ssl directory.
  4. Start ABS by entering the following command:
    # /opt/pingidentity/abs/bin/start.sh
    Starting API Behavioral Security 4.0...
    please see /opt/pingidentity/abs/logs/abs/abs.log for more details