By Mike Owen -
Hi,
Does anyone know the correct commands to install a CA veri-signed cert into the HDS SMU to enable SSL?
I was able to import the *.crt certificate file using:
./cert-importtrustchain.sh -p path to crt file -a unique alias
but the next command just won't work:
./cert-import.sh -p path to my cert file
Error Message:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
Failed to import the certificate.
The backed up keystore has been restored.
Please try again or use cert-gendefault.sh to restore the default cert.
The manual?doesn't?give much information on how to remove the default certificate/key within the SMU, so I?can?replace it with my own one.
As usual HDS support is slow....(official HDS instructions below...)
I have *.pfx, *.pem, *.crt, *.key files
Mike
Installing certificates
After obtaining the certificate from the certificate authority (CA):
1. Copy the certificate provided by the CA to the SMU (for example, scp to /home/manager/server.cer).
If necessary, provide the certificate authority?s trusted certificate chain as a file (for example, /home/manager/
veritas.pem). The SMU already includes popular certificate authority trust chains, so this step can typically
be skipped. To display these popular certificate authorities, see Sun?s documentation: http://java.sun.com/
j2se/1.5.0/docs/tooldocs/solaris/keytool.html#cacerts
Note: The content of the certificate and trust chain files should only start with -----BEGIN and end
with -----END CERTIFICATE-----.
2. Log in to the SMU as user manager.
3. Enter sudu cert-importtrustchain.sh -p path to trust chain file -a unique
alias to import the certificate authority trust certificate chain (optional); this might require multiple files or
chains, so repeat as necessary. When prompted, enter the password for user manager.
Note: Any unique alias may be used. If the alias already exists in the SMU?s keystore, you will be
prompted to replace the old certificate or cancel the import.
An example intermediate certificate authority trust chain may be found at: http://www.verisign.com/support/
install2/intermediate.html
4. Enter sudo cert-import.sh -p path to cert file to import the signed certificate reply.
This replaces the default SMU SSL certificate.
5. Restart the web server when prompted so that it can pick up the new SSL certificate. When prompted to overwrite
the existing certificate, enter y.
6. Close and restart any browsers used to connect to the SMU.
This is required to purge the browser of any previously negotiated SSL session values.
When logging into the SMU Web Manager, the new SSL Certificate is provided.
7. As needed, enter sudo cert-showall.sh to display and verify the contents (SSL certificate and trust chain)
of the keystore.
8. To propagate the new certificate to all managed servers, navigate to Home > SMU Administration > Managed
Servers, and click details and OK for each server.