Using HTTPS with Single Sign-On › How to Set Up HTTPS for CA Single Sign-On › Set Up SSL Certificates › Generate and Import a Certificate

Generate and Import a Certificate

If you do not already have an SSL certificate, you can generate one using the keytool command. This procedure explains how to generate a self-signed certificate and install it in the keystore.

Follow these steps:

1. Run the following command:

   cd installDirectory/PerformanceCenter/jetty/etc
   

2. Create a backup of the existing jetty keystore file by renaming it using the following commands:

   mv installDirectory/PerformanceCenter/jetty/
   etc/keystore installDirectory/PerformanceCenter/
   jetty/etc/keystore.bak
   

   Important! You must remove the old keystore. If you do not, an error appears in later steps: "Keystore was tampered with, or password was incorrect."

3. Generate a private key and a public, self-signed certificate using the following command:

   keytool -genkeypair -keystore keystore_file.ks -storepass storepasswd -keyalg RSA -keysize 2048 -keypass keypasswd -alias alias_name
   

   storepasswd

   Specifies the password for the keystore.

   keypasswd

   Specifies the password for the private key within the keystore.

   Important! Remember these passwords—they cannot be recovered.

4. Export the self-signed certificate from the keystore using the following command:

   keytool -exportcert -keystore keystore_file.ks -storepass storepasswd -alias alias_name -file filename.cer
   

   alias

   Specifies an alias that can be used to refer to the keystore entry that will be created to contain the keys.

   filename.cer

   Determines the file to which the certificate is exported. We recommend using a full pathname that does not place the file in the current directory.

   Example: /tmp/capcCert.cer.

   Note: We recommend backing up the cacerts file before continuing.

5. Import the self-signed certificate into the java trusted certificates keystore using the following command:

   keytool -importcert -keystore installDirectory/jre/lib/security/cacerts -storepass cacertspasswd -alias capcSelfSigned -file filename.cer
   

   Note: The default password for the cacerts keystore is "changeit."

   cacertspasswd

   Specifies the password for the cacerts keystore.

   Default: changeit

   filename.cer

   The file to which the certificate was exported in a previous step.

6. Back up the cacerts file.
7. (Optional) For more security, change the password of the java trusted certificates keystore using the following command:

   keytool -storepasswd -keystore installDirectory/jre/lib/security/cacerts
   

   You are prompted to provide the existing password and the new password.

8. Verify that your imported keystore is available. Use the following command:

   keytool -list -keystore installDirectory/jre/lib/security/cacerts
   

   Important! To enable the web services, the self-signed certificate must be in the cacerts keystore. Otherwise, you see an error in the log that reports that PKIX did not find a certificate.

9. Restart each CA Performance Center service using these commands:

   /sbin/service caperfcenter_sso restart
   

   /sbin/service caperfcenter_devicemanager restart
   

   /sbin/service caperfcenter_console restart
   

   Your self-signed SSL certificate is generated and installed in the keystore.

Next steps:

• (Optional) Convert a Self-Signed Certificate to a Certification Authority SSL Certificate
• Configure the port and website to support HTTPS