on Jun 13, 2017Complete this procedure to replace the existing secure socket layer (SSL) certificate that secures communication between the browser and the Security Console, Operations Console, and Self-Service Console.
Perform these tasks on any instance where you want to replace the existing SSL certificate.
Before you begin
-
You must be an Operations Console administrator.
-
Consult your certificate authority (CA) to ensure that you have all of the required information for your certificate signing request (CSR).
Procedure
-
Generate a CSR by doing one of the following:
-
Use the Operations Console to have Authentication Manager generate a key pair and a CSR. For instructions, see Generate a Certificate Signing Request Using the Operations Console.
-
Use a third-party tool of your choice to generate a key pair and a CSR.
-
-
Submit the CSR to your CA, and request an SSL server certificate.
-
If your CA does not provide an option for an SSL server certificate, make sure that your certificate includes the key-usage extension with Key Encipherment selected.
-
The key algorithm must be RSA Public Key.
-
-
Download the certificate file (either .cer or .p7b) from your CA. The certificate file typically contains the full signing chain of the certificate.
-
The issued certificate’s subject must contain a common name (CN) whose value is the fully qualified hostname (FQHN) of the instance where you want to replace the current SSL certificate.
-
If the certificate file does not contain all the certificates in the signing chain, you must download the full signing chain of the certificate, either in a single file or individually.
-
-
If you generated a CSR using a third-party tool, create a PKCS#12 file (either .pfx or .p12) that includes the certificate file from your CA and the private key for the new certificate.
Related Concepts