-
Title
Importing a PKCS12 (PFX) format certificate as the Foglight SSL Certificate -
Description
How to import an existing PKCS12 (pfx) SSL Certificate in Foglight. -
Resolution
If you have an existing SSL certificate and you want to use this certificate in Tomcat, follow the steps below to import this SSL certificate.
Note: This certificate must be provided in the PKCS #12 (pfx) format. If the certificate and private key are saved in separate files, run the following command to merge them to the PKCS12 format:
openssl pkcs12 -export -in $certfile -inkey $keyfile -out $keystorefile -name tomcat -CAfile $cacertfile -caname root
To import a certificate in Tomcat:
- Backup the existing Tomcat keystore file $FGL_HOME/config/tomcat.keystore
- Delete the existing tomcat certificate from the tomcat.keystore directory using the following command:
$FGL_HOME/jre/bin/keytool -keystore $FGL_HOME/config/tomcat.keystore -storepass nitrogen -alias tomcat -delete
-
Obtain the certificate’s alias name from the certificate PFX file using the following command:
$FGL_HOME/jre/bin/keytool -keystore $your_certificate_pfx_file -storepass $certificate_pfx_password -list -v
The following is an example of command output. The value of Alias name is required in step 3.
- Your keystore contains 1 entry
- Alias name: tq-294043e3-fd9d-42ee-a596-0217c7d6d5f8
- Creation date: May 8, 2020
- Entry type: PrivateKeyEntry
-
Merge the Tomcat keystore and the PKCS12 keystore using the following command:
$FGL_HOME/jre/bin/keytool -importkeystore -destkeystore $FGL_HOME/config/tomcat.keystore -deststorepass nitrogen -destalias tomcat -destkeypass nitrogen -srckeystore $your_certificate_pfx_file -srcstorepass $certificate_pfx_password -srcstoretype pkcs12 -srcalias $alias_name_in_step_2
Note: If the Foglight Management Server certificate is updated, the new certificate may need to be imported to the Foglight Agent Manager certificate store for connections to be established. For more information refer to What are the steps required to use an external signed certificate in the Foglight Managment Server? (4254114).
-
Additional Information
Technical Documentation about Importing a network security certificate.
To export a certificate
The following command can be used to export a certificate with the private key:
$FGL_HOME/jre/bin/keytool -importkeystore -srckeystore $FGL_HOME/config/tomcat.keystore -srcstoretype JKS -destkeystore -destkeystore [output_path]/tomcat.keystore.p12 -deststoretype pkcs12