Data Protection Advisor (DPA): How to import a signed certificate that contains the full chain of trust and private key into DPA - Windows


   Article Number:     532109                                   Article Version: 3     Article Type:    How To 




Data Protection Advisor,Data Protection Advisor Family,Data Protection Advisor 18.1,Data Protection Advisor 18.2,Data Protection Advisor 6.3,Data Protection Advisor 6.4,Data Protection Advisor 6.5





In some cases a customer’s CA (Certificate Authority) will have already provided a signed certificate. Some customer’s procedures require that they generate\retrieve a certificate in this way. It typically happens when the CA is issuing a wildcard certificate or when a sever goes by multiple domain names.   
    In these cases, it may be possible to simply import the signed certificate into apollo.keystore, if and only if, the signed certificate they’ve received contains the full certificate chain and private key.   
    Certificate formats which can contain the private key are listed below:   
    PKCS#12 (.pfx or .p12)- can store the server certificate, the intermediate certificate and the private key in a single .pfx file with password protection. Since these files contain the full chain and the private key, you will be able to import it directly into apollo.keystore, but remember you will need the alias and alias password to do so (the owner of the certificate should have this information).   
    PEM (.pem, .crt, .cer, or .key)- can include the server certificate, the intermediate certificate and the private key in a single file. The server certificate and intermediate certificate can also be in a separate .crt or .cer files and the private key can be in a .key file. If the server\intermediate certificates and key are separate, this will not suffice to import directly.   
    You can check by opening the certificate file in a text editor. Each certificate is contained between the ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE---- statements. The private key is contained between the ---- BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- statements. Ensure that the number of certificates contained in ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE---- statements matches the number of certificates in the chain (server and intermediate) and ends with ---- BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY. If the file does not contain the full certificate chain and private key, the certificate will need to be imported into the keystore it was generated from. If you are unsure about the certificate chain see   
    Once you have verified that you have the full certificate chain and private key are in one file, you should have everything you need to import the certificate into DPA via the following steps:   
    1. Make a copy of the apollo.keystore and standalone.xml files from dpa\services\standalone\configuration and the application-service.conf file from dpa\services\executive. In the event that you need to revert back to the original configuration, you can use these files to restore DPA to working order.  Place the copies in a folder on the desktop for safe keeping and to avoid confusion.   
    2. Open the copy of the standalone.xml file and search for 'key-alias'. You should see a line containing the key-alias and password like this:   

      <ssl name="ssl" key-alias="${apollo.keystore.alias:apollokey}" password="apollo"   
      Take note of the password in this line. It is the apollo.keystore password and you will need it in the next steps.     
      3. Run the following command from the DPA install directory in services\_jre\bin:   
      keytool -importkeystore -srckeystore "c:\Program files\emc\dpa\services\standalone\configuration\wildcard.pfx" -srcstoretype pkcs12 -destkeystore "c:\Program files\emc\dpa\services\standalone\configuration\apollo.keystore" -deststoretype JKS     
      Note: You will need to specify the correct location of the signed certificate file (srckeystore) and apollo.keystore (destkeystore). See the example below for more information on what you will be asked to enter:   
       D:\Program Files\EMC\DPA\services\_jre\bin keytool -importkeystore -srckeystore "c:\Program files\emc\dpa\services\standalone\configuration\wildcard.pfx" -srcstoretype pkcs12 -destkeystore "c:\Program files\emc\dpa\services\standalone\configuration\apollo.keystore" -deststoretype JKS     
      Enter destination keystore password: (apollo.keystore password- check standalone.xml)     
      Enter source keystore password: (alias password-owner of certificate will know this)     
      Entry for alias my_alias successfully imported.     
      Import command completed:1 entries successfully imported, 0 entries failed or cancelled     
      4. List the contents of apollo.keystore to verify that the signed certificate was imported correctly:   
      keytool -list -v -keystore "c:\Program files\emc\dpa\services\standalone\configuration\apollo.keystore"     
      (Enter the apollo.keystore password)     
      It should now contain the entry for apollokey and the new entry with the customer’s wildcardalias (whatever alias the signed certificate was assigned to). You should see that this is a PrivateKeyEntry and that is contains the full certificate chain.     
      5. Restart application services and attempt to log into the GUI.  In the event that restarting services produces an error, app svc fail to start, or you cannot access the GUI at this point:   
      - Open application-service.conf and search for 'apollo.key' you should see that the alias has been updated to the alias you imported (in this case, wildcardalias).     
      - Open standalone.xml with a text editor and search for 'key-alias'. You should see a line similar to the one below that shows the alias you imported:     
      If not, you will need to change the key alias to match the one associated with the signed certificate. Also, double check that the password is the same as you've been using throughout.     
      If you need to change the alias or password in these files then:     
      A. Stop application services,     
      B. Edit and save the files.     
      C. Restart services.     
      D. If the issue persists, contact DPA support.   
      Final steps:     
      Proceed to run the 'dpa app impcert' command as per Installation and Administration Guide to import the certificate and private key previously imported in the apollo.keystore file, into the DPA App server:     
      C:\Program Files\EMC\DPA\services\bin>dpa app impcert -kf "C:\Program Files\EMC\DPA\services\standalone\configuration\apollo.keystore" -al xxx -pw yyy     
      EMC Data Protection Advisor      
      Certificate import complete. Please restart the app server for changes to take effect.      
      Command completed successfully.      
      Completed in : 1.4secs     
      To run that command get the alias xxx for the ‘-al’ switch from the output of the keytool command in #4 above to list the content of the apollo.keystore file:     
      keytool -list -v -keystore "c:\Program files\emc\dpa\services\standalone\configuration\apollo.keystore"     
      Search by ‘Alias name:’     
      and the password yyy for the ‘-pw’ switch from the <install_dir>\services\standalone\configuration\standalone.xml file. Search by ‘password=’     
      Finally restart the App services and launch DPA Gui. The browser should show the certificate correctly