This procedure allows you to replace a trusted root certificate that is stored in the trust store assigned to the Identity Server. You must create an SSL certificate for the Identity Server and then replace the predefined test-connector certificate that comes with Access Manager. You can also replace the test-provider and test-consumer certificates in the and keystores. The steps for replacing the signing, encryption, provider, and consumer certificates are similar.
You can also add the trusted roots to the trust stores used by the Identity Server, or auto-import them from a server. The NIDP trust store is the certificate container for CA certificates associated with the Identity Server.
You can also access the OCSP trust store to add OCSP server certificates. Online Certificate Status Protocol is a method used for checking the revocation status of a certificate. For this feature, you must set up an OCSP server. The Identity Server sends an OCSP request to the OCSP server to determine if a certain certificate has been revoked. The OCSP server replies with the revocation status. If this revocation checking protocol is used, the Identity Server does not cache or store the information in the reply, but sends a request every time it needs to check the revocation status of a certificate. The OCSP reply is signed by the OCSP server. To verify that it was signed by the correct OCSP server, the OCSP server certificate needs to be added to this trust store. The OCSP server certificate itself is added to the trust store, not the CA certificate
In the Administration Console, click > > .
Click the certificate link that you want to replace:
Encryption: Displays the encryption certificate keystore. The encryption certificate is used to encrypt specific fields or data in the assertions.
Signing: Displays the signing certificate keystore. Click this option to access the keystore and replace the signing certificate as necessary. The signing certificate is used to sign the assertion or specific parts of the assertion.
SSL: Displays the SSL connector keystore. Click this option to access the keystore and replace the SSL certificate as necessary. This certificate is used for SSL connections.
Provider: Displays the identity provider keystore. Click this option to access the keystore and replace the identity provider certificate.
Consumer: Displays the identity consumer keystore. Click this option to access the keystore and replace the identity consumer certificate as necessary.
Click .
NOTE:A keystore stores only one certificate at a time. When you replace a certificate, you overwrite the existing one.
In the Replace dialog box, click the icon and browse to select the certificate you created in Section 24.1, Creating Certificates.
Click .
Click in the Replace dialog box.
Restart Tomcat, as prompted by the system.
The system restarts Tomcat for you if you click at the prompt. If you want to restart at your convenience, select and then manually restart Tomcat via ssh. Enter /etc/init.d/novell-tomcat4 restart, then press Enter.
Update the Identity Server configuration on the Servers page, as prompted.