How can I replace the default self-signed Policy Manager Linux certificate with trusted CA created certificate?
The F-Secure Linux Policy Manager keystore is located inside "/var/opt/f-secure/fspms/data/fspms.jks" (version 12.30 and higher) or "/opt/f-secure/fspms/config/fspms.jks" for previous Policy Manager versions.
You can use the following command to query details about certificates stored in fspms.jks:
- /opt/f-secure/fspms/jre/bin/keytool -list -v -keystore fspms.jks -storepass superPASSWORD
- You should see the following output:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: fspms
Creation date: 20.09.2010
Entry type: PrivateKeyEntry
Certificate chain length: 1
Owner: CN=f-secure.com, OU=f-secure.com, O=f-secure.com, C=EN
Issuer: CN=f-secure.com, OU=f-secure.com, O=f-secure.com, C=EN
Serial number: 4c977fcc
Valid from: Mon Sep 20 18:37:48 EEST 2010 until: Wed Aug 27 18:37:48 EEST 2110
Signature algorithm name: SHA1withDSA
You can follow the steps below to replace the default self-signed Policy Manager Linux certificate:
Assume that you have:
NOTE: When you execute importkeystore command pay attention to "-destkeypass", it should be same as "-deststorepass". If you forget to insert proper "-destkeypass" command can complete successfully but problems on Policy Manager server startup may occur.
- The signed or maybe self-signed certificate (with full chain of intermediate CA) and private key for it inside PKCS12 keystore.
- It is protected with password " srcpassword "
- Your certificate and the private key are referenced by name (alias) " server ".
- The keystore file is " server.p12 " and it is located in the same directory as " fspms.jks ".
- Type the following command:
- /opt/f-secure/fspms/jre/bin/keytool -importkeystore -destkeystore fspms.jks -deststorepass superPASSWORD -destalias fspms -destkeypass superPASSWORD -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass srcpassword -srcalias server
- You are replacing certificate in "fspms.jks" so following message will appear:
- Existing entry alias server exists, overwrite? [no]:
- Type "yes" and hit enter
- Type the following command to restart the Policy Manager server to start using the new certificate:
- /etc/init.d/fspms restart
Article no: 000004509