Previous Topic: About Creating a Self-Signed CertificateNext Topic: About Using a Certificate Issued by a Third-Party Certificate Authority

Maintaining the DomainManage CertificatesCreate and Implement Your Own Self-Signed Certificate

Create and Implement Your Own Self-Signed Certificate

You can create your own self-signed certificate to replace the self-signed certificate that comes with CA Process Automation.

Follow these steps:

  1. Using administrator credentials, log on to host where the target Orchestrator is installed.
  2. Stop the Orchestrator.
  3. If you plan to reuse the current alias name for the keystore, remove this alias before continuing.
  4. Run the following command to generate a keystore with the Java tool, keytool. Specify your own values for aliasname and for keystore_name. The default value for aliasname is ITPAM. If you do not enter a path for keystore, the current path is used. 
    keytool -genkey -alias "aliasname" -keyalg RSA -keystore "keystore_path.keystore"

    For example, accept the default keystore path and enter:

    keytool -genkey -alias "PAM" -keyalg RSA

    Prompts to enter and confirm a keystore password appear.

  5. Enter the same keystore password in response to both prompts. (Remember this password for later entry into an encryption utility.)

    A series of prompts appear followed by a confirmation prompt.

  6. Respond to prompts with the requested distinguished name information as follows:
    1. Enter your first and last name.
    2. Enter the name of your organizational unit.
    3. Enter your organization name.
    4. Enter the name of your city or locality.
    5. Enter the name of your state or province.
    6. Enter the two-letter country code for your organizational unit.

    A confirmation of your entries appears in the format, Is CN=value, OU=value, O=value, L=value, ST=value, C=value correct?

  7. Review the entries and if correct, enter yes. (If incorrect, enter no and respond to the prompts again.)
  8. Respond to the prompt for the key password for aliasname in one of the following ways. The recommended option lets you avoid entering the certificate password as each jar is signed in Step 13.

    A new keystore is created in the current directory.

  9. (Optional) Move this keystore to another path.
  10. Encrypt the keystore password you entered in Step 5.
    1. Change directories to the install_dir/server/c2o directory.
    2. Run PasswordEncryption.bat.
    3. Enter the keystore password in response to the prompt.

    The utility encrypts the entered keystore password and saves the results on the console.

  11. Back up the OasisConfig.properties file. (install_dir/server/c2o/.config/OasisConfig.properties)
  12. Update the OasisConfiguration properties file as follows:
    1. For itpam.web.keystorepath=, enter the absolute path to the keystore, using "/" rather than "\", for example, C:/keystore_path/keystore.
    2. For itpam.web.keystore.password=, copy and paste the encrypted keystore password generated in Step 9.
    3. For itpam.web.keystore.alias=, enter the alias name specified in the keytool command in Step 4.
  13. Execute SignC2OJars.bat to sign the Jars.

    This step is required after updating the certificate or keystore.

  14. Start the Orchestrator.

More information:

Oasis Configuration Properties File