Replacing the Identityd certificate with a CA-signed certificate
When replacing the Identityd certificate with a CA-signed certificate, it is not necessary to add these certificates to the device that is running the ADConnector program.
Prerequisites
A CA-signed certificate may include a hierarchical chain of certificates from several certification authorities (the certification chain). All these CA certificates must all be added as individual entries in the Trusted Certificates section of this appliance.
Depending on your CA, you may receive these as a concatenation in one file and need to separate them before placing them in the Trusted Certificates section. If you add more than one CA certificate at a time, the appliance will use the first one it finds, which may not be the correct one.
Alternatively, your CA may provide certificates in separate files. In this case, ensure that you have each certificate in the entire CA chain and not just the end entity certificate.
The end entity certificate and its private key must be pasted into the Local Credentials section of the NetProfiler, and the entire CA certificate chain must be pasted into the Trusted Certificates section of this NetProfiler.
The certificates must include the following certificate extensions:
-
X.509v3 Subject Key Identifier
-
X.509v3 Authority Key Identifier
These are necessary in case the CA certificate is renewed and in case more than one CA certificate has the same subject.
Part 1 – Trusted Certificates
To add the CA certificates to this NetProfiler appliance,
-
Copy the first certificate of the CA certificate chain, including the BEGIN and END statements. The certificate will be in a format such as:
-----BEGIN CERTIFICATE-----
MIIBsTCCARqgAwIBAgIJAOqvgxZRcO+ZMA0GCSqGSIb3DQEBBAUAMA8xDTALBgNVBAMTBE1henUwHhcNMDYxMDAyMTY0MzQxWhcNMTY
...
ehyejGdw6VhXpf4lP9Q8JfVERjCoroVkiXenVQe/zer7Qf2hiDB/5s02/+8uiEeqMJpzsSdEYZUSgpyAcws5PDyr2GVFMI3dfPnl28hVavIkR8r05BP
-----END CERTIFICATE-----
-
Go to the Administration > Appliance Security > Encryption Key Management page Trusted Certificates tab.
-
Click Add New Certificate to open a window into which you can paste the CA-signed certificate.
-
Optionally, enter a description to be displayed in the Trusted Certificates list. Leave it blank if you want to use the certificate’s subject. This can be changed later using the Change Entry action.
-
Paste the certificate into the Key/Cert field.
-
Click OK and confirm that the certificate is listed on the Trusted Certificates tab.
-
Repeat this procedure for each CA certificate in the chain until all CA certificates in the chain have been added as separate entries.
Part 2 – Local Certificate and private key
After each certificate in the CA chain has been added as a trusted certificate, add the end entity certificate and the private key as the Local Credentials for this NetProfiler.
-
Go to the Administration > Appliance Security > Encryption Key Management page Local Credentials tab.
-
In the row for the Identityd SSL Certificate, choose Change Key/Cert from the Actions menu.
-
Paste both the end entity Identityd certificate and the private key into the Key/Cert field.
-
Click OK and confirm that the Identityd certificate is listed on the Local Credentials tab.
Note: Ensure that you include both the private key and the end entity certificate with their BEGIN and END statements. If you paste in just the certificate, you will get a certification error.
They will be in the format:
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7CkgI/yEMu0td
...
6Q1V08AwLd4fVrOGvmOeZKk=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIJAPy15+KVLMaXMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNV
...
xnRRtSStpDwBRwrPBX9wiih7X13I2n2Qs/c0Gh9OVhKqsmcoZmnHjCQrdQ==
-----END CERTIFICATE-----
If you subsequently view the Local Credentials, you will not see the private key. It is never visible except when you initially paste it into the Change window.