Set Up SSL Certificates for Performance Center

To configure the single sign-on website to use HTTPS, obtain and install a private key and an associated public certificate. SSL can be used with either a self-signed certificate or a certificate that a trusted Certificate Authority has signed. The procedures are typically specific to an organization and the policies of its security team. However, these procedures provide some guidance.
capm360
To configure the single sign-on website to use HTTPS, obtain and install a private key and an associated public certificate. SSL can be used with either a self-signed certificate or a certificate that a trusted Certificate Authority has signed. The procedures are typically specific to an organization and the policies of its security team. However, these procedures provide some guidance.
Select the appropriate procedure for your situation:
For more information about the keytool command, see the Java documentation on the Oracle website.
Generate and Import a Certificate
To generate an SSL certificate, use the keytool command. Generate a self-signed certificate and install it in the keystore.
Follow these steps:
  1. Change the directory:
    text
    cd
    InstallDirectory
    /PerformanceCenter/jetty/etc
    /opt/CA is the default installation directory.
  2. If a jetty keystore file exists, rename the existing jetty keystore file to create a backup of it:
    text
    mv
    InstallDirectory
    /PerformanceCenter/jetty/etc/keystore
    InstallDirectory
    /PerformanceCenter/jetty/etc/keystore.bak
    Move the old keystore. If you do not, an error appears in later steps: "Keystore was tampered with, or password was incorrect."
  3. Generate a private key and a public, self-signed certificate:
    keytool -genkeypair -ext SAN=dns:
    fully_qualified_hostname
    -keystore
    keystore_file
    .ks -storepass
    password
    -keyalg RSA -keysize 2048 -keypass
    password
    -alias
    alias_name
    Note your entries for the following variables:
    • fully_qualified_hostname
      Specify the fully qualified host name of the server. Enter the same value when you are prompted for your first and last name.
    • keystore_file.
      ks
      Specify the name of the keystore file to create.
    • password
      Specify the password for the keystore and self-signed certificate. Specify a secure password.
    • alias_name
      Specify an alias that can be used to refer to the keystore entry that is created for the self-signed certificat
    When you are prompted for your first and last name, provide the fully qualified hostname of the server.
  4. Proceed through the security prompt questions and confirm your responses.
  5. Export the self-signed certificate from the keystore:
    keytool -exportcert -keystore
    keystore_file
    .ks -storepass
    password
    -alias
    alias_name
    -file
    filename
    .cer
    • keystore_file
      .ks
      Specify the same keystore file name previously created.
    • password
      Specify the same password when creating the self-signed certificate.
    • alias_name
      Specify the same alias when creating the self-signed certificate.
    • filename
      .cer
      Specify the file to which the certificate is exported. We recommend using a full pathname that does not place the file in the current directory.
      Example
      : /tmp/capcCert.cer
    We recommend backing up any certificates that could be rewritten before continuing.
  6. Import the self-signed certificate into the java trusted certificate keystore:
    keytool -importcert -keystore
    InstallDirectory/jre/lib/security/cacerts -
    storepass
    cacertspassword
    -alias
    alias_name
    -file
    filename
    .cer
    • cacertspassword
      Specify the password for the Certificate Authority keystore.
      The default password for the Certificate Authority keystore is
      changeit
      .
    • alias_name
      Specify the same alias when creating the self-signed certificate.
    • filename
      .cer
      Specify the file to which the certificate is exported. We recommend using a full pathname that does not place the file in the current directory.
      Example
      : /tmp/capcCert.cer
  7. Confirm that you trust the certificate.
  8. Back up the certificate file:
    cp
    filename
    .cer
    filename
    .cer.bak
  9. (Optional) For more security, change the password of the java trusted certificates keystore:
    keytool -storepasswd -keystore
    InstallDirectory
    /jre/lib/security/cacerts
    You are prompted to provide the existing keystore password and a new keystore password.
  10. Verify that your imported keystore is available:
    keytool -list -keystore
    InstallDirectory
    /jre/lib/security/cacerts
    To enable the web services, the self-signed certificate must be in the Certificate Authority keystore. Otherwise, you see an error in the log that reports that PKIX did not find a certificate.
    Your self-signed SSL certificate is generated and installed in the keystore.
Convert a Self-Signed Certificate to a Certification Authority SSL Certificate
A self-signed certificate causes a browser warning to appear when you open
CA Performance Center
. The warning does not appear if you use a certificate that a trusted Certification Authority has signed. The following procedure explains how to convert the self-signed certificate to a certificate that a trusted Certification Authority has signed.
Follow these steps:
  1. Change the directory:
    cd
    InstallDirectory
    /PerformanceCenter/jetty/etc
    /opt/CA is the default installation directory.
  2. Export a certificate signature request:
    keytool -certreq -keystore
    keystore_file
    .ks -storepass
    password
    -ext SAN=dns:[FQHN] -alias
    alias_name
    -keypass
    password
    -file
    RequestFileName
    .csr
    • keystore_file
      Specify the same keystore file name previously created.
    • password
      Specify the same password when creating the self-signed certificate.
    • alias_name
      Specify an alias that can be used to refer to the keystore entry that is created for the root or intermediate certificate.
    • RequestFileName
      .csr
      Specify the path and file name of the exported signature request.
  3. Send the resulting file (
    RequestFileName
    .csr) to a qualified signing authority with any other requested information.
    The Certificate Authority sends you a signed certificate (
    SignedCert
    .cer). They might also provide a root Certificate Authority certificate (
    RootCA
    .cer) to authenticate the signed certificate.
  4. Determine whether the root Certificate Authority certificate is part of the default java trusted authorities:
    keytool -list -v -keystore
    InstallDirector
    y/jre/lib/security/cacerts -storepass
    cacertspassword
    • cacertspassword
      Specify the password for the Certificate Authority keystore.
      The default password for the Certificate Authority keystore is
      changeit
      .
  5. Import the intermediate or root certificates into the java trusted certificate keystore using the following steps for each certificate:
    keytool -importcert -keystore
    InstallDirectory/jre/lib/security/cacerts -
    storepass
    cacertspassword
    -alias
    alias_name
    -file
    filename
    .cer
    • cacertspassword
      Specify the password for the Certificate Authority keystore.
      The default password for the Certificate Authority keystore is
      changeit
      .
    • alias_name
      Specify an alias that can be used to refer to the keystore entry that is created for the root or intermediate certificate.
    • filename
      .cer
      Specify the file to which the certificate is exported. We recommend using a full pathname that does not place the file in the current directory.
      Example
      : /tmp/capcCert.cer
  6. Import the signed certificate into the jetty keystore:
    keytool -importcert -trustcacerts -keystore keystore -storepass
    password
    -alias
    alias_nam
    e -keypass
    password
    -file
    SignedCert
    .cer
    • password
      Specify the same password when creating the self-signed certificate.
    • alias_name
      Specify the same alias when creating the self-signed certificate.
    • SignedCert
      .cer
      Specify the certificate file from the Certificate Authority.
  7. Confirm that you trust the certificate.
  8. Validate the contents of the jetty keystore:
    keytool -list -keystore
    InstallDirectory
    /PerformanceCenter/jetty/etc/keystore
    The single certificate that you imported appears in the list.
    The Certificate Authority SSL certificate replaces your self-signed certificate in the keystore.
  9. Import the signed certificate into the java trusted certificate keystore:
    keytool -importcert -keystore
    InstallDirectory/jre/lib/security/cacerts -
    storepass
    cacertspassword
    -alias
    alias_name
    -file
    filename
    .cer
    • cacertspassword
      Specify the password for the Certificate Authority keystore.
      The default password for the Certificate Authority keystore is
      changeit
      .
    • alias_name
      Specify the same alias when creating the self-signed certificate.
    • filename
      .cer
      Specify the file to which the certificate is exported. We recommend using a full pathname that does not place the file in the current directory.
      Example
      : /tmp/capcCert.cer
  10. Confirm that you trust the certificate.
  11. Verify that your imported keystore is available:
    keytool -list -keystore
    InstallDirectory
    /jre/lib/security/cacerts
Import a Key and an Existing Certificate
You can use a private key and public certificate (a self-signed or a Certificate Authority certificate) from a different source. For example, your security team provides an SSL certificate that is customized for your organization. To use this SSL certificate, import the private key and the signed certificate.
Follow these steps:
  1. Change the directory:
    cd
    InstallDirectory
    /PerformanceCenter/jetty/etc
    /opt/CA is the default installation directory.
  2. If a jetty keystore file exists, rename the existing jetty keystore file to create a backup of it:
    text
    mv
    InstallDirectory
    /PerformanceCenter/jetty/etc/keystore
    InstallDirectory
    /PerformanceCenter/jetty/etc/keystore.bak
    Move the old keystore. If you do not, an error appears in later steps: "Keystore was tampered with, or password was incorrect."
  3. Create a PKCS#12 keystore from the private key and certificate:
    openssl pkcs12 -export -in
    certificate
    .pem -inkey
    privatekey
    .pem -name
    alias_name
    -out
    keystore
    .pkcs12
    • certificate.
      pem
      Specify the certificate that is provided to you.
    • privatekey.
      pem
      Specify the private key that is provided to you.
    • alias_name
      Specify an alias that can be used to refer to the keystore entry that is created for the certificate.
    • keystore
      .pkcs12
      Specify the keystore to create to store the keys provided.
    This command works on Linux only.
  4. Import the key and certificate into the CA
    CA Performance Center
    keystore:
    keytool -importkeystore -destkeystore
    keystore_file
    .ks -deststorepass
    password
    -srckeystore
    keystore
    .pkcs12 -srcstoretype pkcs12 -srcalias
    src_alias_name
    -destalias
    dest_alias_name
    -destkeypass
    password
    • keystore_file.
      ks
      Specify the name of the keystore file to create.
    • password
      Specify the password for the keystore and imported certificate. Specify a secure password.
    • keystore.
      pkcs12
      Specify the PKCS#12 keystore previously created.
    • src_alias_name
      Specify the alias_name when importing the private key and certificate.
    • dest_alias_name
      Specify an alias that can be used to refer to the keystore entry that is created for the imported certificate.
    Your existing SSL certificate is imported into the keystore.
  5. Determine whether the certificate includes a chain terminating at a certificate in the keystore. If the certificate is missing, import it into the Java keystore.
    keytool -printcert -file
    filename
    • filename
      Specifies the name of the certificate.
  6. Import the signed certificate, and intermediate or root certificates into the java trusted certificate keystore using the following steps for each certificate:
    keytool -importcert -keystore
    InstallDirectory/jre/lib/security/cacerts -
    storepass
    cacertspassword
    -alias
    alias_name
    -file
    filename
    .cer
    • cacertspassword
      Specify the password for the Certificate Authority keystore.
      The default password for the Certificate Authority keystore is
      changeit
      .
    • alias_name
      Specify the same alias when importing the signed certificate into the
      CA Performance Center
      keystore. Or, specify an alias that can be used to refer to the keystore entry that is created for the root or intermediate certificate.
    • filename
      .cer
      Specify the file to which the certificate is exported. We recommend using a full pathname that does not place the file in the current directory.
      Example
      : /tmp/capcCert.cer
  7. Confirm that you trust the certificate.
  8. Verify that your imported keystore is available:
    keytool -list -keystore
    InstallDirectory
    /jre/lib/security/cacerts