Create or renew the PAM Web server certificate

If the PAM Web server certificate has expired, what are the steps needed to renew this certificate? Follow instructions below.

  1. Open a Command Prompt and cd to the $PAM_HOME/PAM folder.

  2. Create the keystore:

    Copy
    bin\PamKeytool.cmd -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore IPAMkeystore.jks
    • Enter the keystore password (and record this password).

    • Verify the keystore password.

  3. Complete the certificate details:

    • What is your first and last name?

      • This is the cert CN. Use the server FQDN

    • What is the name of your organizational unit?

      • This is the cert OU

    • What is the name of your organization?

      • This is the cert O

    • What is the name of your City or Locality?

      • This is the cert L

    • What is the name of your State or Province?

      • This is the cert ST

    • What is the two-letter country code for this unit?

      • This is the cert C

  4. Verify the certificate details are correct.

  5. Create the certificate request with the SAN.

    Copy
    bin\PamKeytool.cmd -certreq -keyalg RSA -alias tomcat -keystore IPAMkeystore.jks -file ipam.csr -ext "SAN=dns:pam01.adroit.local,dns:pam01,ip:172.21.28.104"
    • Enter the keystore password.

      Web-Server-Sertificate1.png

    • The ipam.csr file will be generated in the $PAM_HOME directory

  6. Use the Base64 csr file to create a Web Server certificate in the Domain PKI (via the CA Website), or an external 3rd party PKI.

    Web-Server-Sertificate2.png

  7. Save the created certificate as a Base 64 encoded certificate chain (ipam.p7b):

    Web-Server-Sertificate3.png

  8. Import the certificate bundle:

    Copy
    bin\PamKeytool.cmd -import -alias tomcat -keystore IPAMkeystore.jks -trustcacerts -file ipam.p7b
    • Enter the keystore password.

      Web-Server-Sertificate4.png

  9. Copy the IPAMkeystore.jks file to the $PAM_HOME/web/conf folder.

  10. Update the xtam.cert.path= to reference the new IPAMkeystore.jks keystore file.

  11. Update the xtam.cert.password= with the new password (if needed).

  12. Restart the PamManagement / pammanager service.

  13. Once the PAM Web server is running, browse to the webpage and verify that the certificate has been updated.