Replacing the Console CertificateReplacing the Console Certificate

Complete this procedure to replace the existing secure socket layer (SSL) certificate that secures communication between the browser and the Security Console, Operations Console, and Self-Service Console.

Perform these tasks on any instance where you want to replace the existing SSL certificate.

Before you begin

• You must be an Operations Console administrator.

• Consult your certificate authority (CA) to ensure that you have all of the required information for your certificate signing request (CSR).

Procedure

1. Generate a CSR by doing one of the following:

   • Use the Operations Console to have Authentication Manager generate a key pair and a CSR. For instructions, see Generate a Certificate Signing Request Using the Operations Console.

   • Use a third-party tool of your choice to generate a key pair and a CSR.

2. Submit the CSR to your CA, and request an SSL server certificate.

   • If your CA does not provide an option for an SSL server certificate, make sure that your certificate includes the key-usage extension with Key Encipherment selected.

   • The key algorithm must be RSA Public Key.

3. Download the certificate file (either .cer or .p7b) from your CA. The certificate file typically contains the full signing chain of the certificate.

   • The issued certificate’s subject must contain a common name (CN) whose value is the fully qualified hostname (FQHN) of the instance where you want to replace the current SSL certificate.

   • If the certificate file does not contain all the certificates in the signing chain, you must download the full signing chain of the certificate, either in a single file or individually.

4. If you generated a CSR using a third-party tool, create a PKCS#12 file (either .pfx or .p12) that includes the certificate file from your CA and the private key for the new certificate.

5. Import a Console Certificate

6. Activate a New SSL Console Certificate.