How to import a signed certificate that contains the full chain of trust and private key into DPA - Linux


   Article Number:     532110                                   Article Version: 2     Article Type:    How To 




Data Protection Advisor,Data Protection Advisor Family,Data Protection Advisor 18.1,Data Protection Advisor 18.2,Data Protection Advisor 6.3,Data Protection Advisor 6.4,Data Protection Advisor 6.5





In some cases a customer’s CA will have already provided a signed certificate. Some customer’s procedures require that they generate\retrieve a certificate in this way. It typically happens when the CA is issuing a wildcard certificate or when a sever goes by multiple domain names.   
    In these cases, it may be possible to simply import the signed certificate into apollo.keystore, if and only if, the signed certificate they’ve received contains the full certificate chain and private key.   
    Certificate formats which can contain the private key are listed below:   
    PKCS#12 (.pfx or .p12)- can store the server certificate, the intermediate certificate and the private key in a single .pfx file with password protection. Since these files contain the full chain and the private key, you will be able to import it directly into apollo.keystore, but remember you will need the alias and alias password to do so (the owner of the certificate should have this information).   
    PEM (.pem, .crt, .cer, or .key)- can include the server certificate, the intermediate certificate and the private key in a single file. The server certificate and intermediate certificate can also be in a separate .crt or .cer files and the private key can be in a .key file. If the server\intermediate certificates and key are separate, this will not suffice to import directly.   
    You can check by opening the certificate file in a text editor. Each certificate is contained between the ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE---- statements. The private key is contained between the ---- BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- statements. Ensure that the number of certificates contained in ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE---- statements matches the number of certificates in the chain (server and intermediate) and ends with ---- BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY. If the file does not contain the full certificate chain and private key, the certificate will need to be imported into the keystore it was generated from. If you are unsure about the certificate chain see   
    Once you have verified that you have the full certificate chain and private key in one file, you should have everything you need to import with the following steps:   
    1. Make a copy of the apollo.keystore and standalone.xml files from dpa/services/standalone/configuration and the application-service.conf file from dpa/services/executive. In the event that you need to revert back to the original configuration, you can use these files to restore DPA to working order.  Place the copies in a folder on the desktop for safe keeping and to avoid confusion.   
    2. Open the copy of the standalone.xml file and search for 'key-alias'. You should see a line containing the key-alias and password like this:   

      <ssl name="ssl" key-alias="${apollo.keystore.alias:apollokey}" password="apollo"     
      Take note of the password in this line. It is the apollo.keystore password and you will need it in the next steps.   
    3. Run the following command from the DPA install directory in services/_jre/bin:   
    ./keytool -importkeystore -srckeystore "/opt/emc/dpa/services/standalone/configuration/wildcard.pfx" -srcstoretype pkcs12 -destkeystore "/opt/emc/dpa/services/standalone/configuration/apollo.keystore" -deststoretype JKS   
    Note: You will need to specify the correct location of the signed certificate file (srckeystore) and apollo.keystore (destkeystore). See the example below for more information on what you will be asked to enter:   
       /opt/EMC/DPA/services/_jre/bin: ./keytool -importkeystore -srckeystore "/opt/emc/dpa/services/standalone/configuration/wildcard.pfx" -srcstoretype pkcs12 -destkeystore "/opt/emc/dpa/services/standalone/configuration/apollo.keystore" -deststoretype JKS     
      Enter destination keystore password: (apollo.keystore password- check standalone.xml)     
      Enter source keystore password: (alias password-owner of certificate will know this)     
      Entry for alias my_alias successfully imported.     
      Import command completed:1 entries successfully imported, 0 entries failed or cancelled   
    4. List the contents of apollo.keystore to verify that the signed certificate was imported correctly:   
      ./keytool -list -v -keystore "/opt/emc/dpa/services/standalone/configuration/apollo.keystore"     
      (Enter the apollo.keystore password)     
      It should now contain the entry for apollokey and the new entry with the customer’s wildcardalias (whatever alias the signed certificate was assigned to). You should see that this is a PrivateKeyEntry and that is contains the full certificate chain.   
    5. Restart application services and attempt to log into the GUI.** In the event that restarting services produces an error, app svc fail to start, or you cannot access the GUI at this point:   
      - Open application-service.conf and search for 'apollo.key' you should see that the alias has been updated to the alias you imported (in this case, wildcardalias).     
      - Open standalone.xml with a text editor and search for 'key-alias'. You should see a line similar to the one below that shows the alias you imported:     
      If not, you will need to change the key alias to match the one associated with the signed certificate. Also, double check that the password is the same as you've been using throughout.     
      If you need to change the alias or password in these files: stop application services, edit and save the files, and restart services. If the issue persists, contact DPA support.