Create or renew the PAM Web server certificate
If the PAM Web server certificate has expired, what are the steps needed to renew this certificate? Follow instructions below.
-
Open a Command Prompt and cd to the $PAM_HOME/PAM folder.
-
Create the keystore:
Copybin\PamKeytool.cmd -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore IPAMkeystore.jks
-
Enter the keystore password (and record this password).
-
Verify the keystore password.
-
-
Complete the certificate details:
-
What is your first and last name?
-
This is the cert CN. Use the server FQDN
-
-
What is the name of your organizational unit?
-
This is the cert OU
-
-
What is the name of your organization?
-
This is the cert O
-
-
What is the name of your City or Locality?
-
This is the cert L
-
-
What is the name of your State or Province?
-
This is the cert ST
-
-
What is the two-letter country code for this unit?
-
This is the cert C
-
-
Verify the certificate details are correct.
-
Create the certificate request with the SAN.
Copybin\PamKeytool.cmd -certreq -keyalg RSA -alias tomcat -keystore IPAMkeystore.jks -file ipam.csr -ext "SAN=dns:pam01.adroit.local,dns:pam01,ip:172.21.28.104"
-
Enter the keystore password.
-
The ipam.csr file will be generated in the $PAM_HOME directory
-
-
Use the Base64 csr file to create a Web Server certificate in the Domain PKI (via the CA Website), or an external 3rd party PKI.
-
Save the created certificate as a Base 64 encoded certificate chain (ipam.p7b):
-
Import the certificate bundle:
Copybin\PamKeytool.cmd -import -alias tomcat -keystore IPAMkeystore.jks -trustcacerts -file ipam.p7b
-
Enter the keystore password.
-
-
Copy the IPAMkeystore.jks file to the $PAM_HOME/web/conf folder.
-
Update the xtam.cert.path= to reference the new IPAMkeystore.jks keystore file.
-
Update the xtam.cert.password= with the new password (if needed).
-
Restart the PamManagement / pammanager service.
-
Once the PAM Web server is running, browse to the webpage and verify that the certificate has been updated.