How to Change Access Point Sign Certificate (version 2.2.0 and later)?

Owned by Petteri Kivimäki
Last updated: Sept 26, 2023
2 min read

This article applies to new installs of Harmony Access point v2.2.0 and later versions. For older versions (including upgrades from older versions), see How to Change Access Point Sign Certificate?

By default, the Access Point has a self-signed sign certificate that's automatically generated during the Access Point installation process. Replacing the self-signed certificate requires creating a new keystore.

Note about Using Harmony Access Point Container Version

Harmony Access Point configuration is located at /var/opt/harmony-ap/etc instead of /etc/harmony-ap (for convenience, /etc/harmony-ap is a symbolic link to that directory).

Commands can be run inside the container with docker exec (using sudo in the container is unnecessary):
docker exec -it <container name> openssl req -x509 -newkey rsa:3072 -keyout harmony-ap-new.key -out harmony-ap-new.crt -days 365 -nodes

Files can be copied to/from a container using docker cp.

Step-by-step guide

The Access Point sign certificate can be changed by following the steps described below.

  1. Generate a new private key and certificate signing request (CSR) using OpenSSL by running the command:

    openssl req -x509 -newkey rsa:3072 -keyout harmony-ap-new.key -out harmony-ap-new.crt -days 365 -nodes

If you don't have OpenSSL installed, you can generate the certificate on the Harmony Access Point host.

  1. Enter your CSR details (distinguished name for the subject) as required by the CA.

  2. Obtain a certificate from a trusted Certificate Authority (CA) using the CSR file (harmony-ap-new.crt).

  3. Check the keystore password in the admin interface Properties view (domibus.security.keystore.password). Take a note of the password (ap_keystore_password).

  4. Once the CA has issued the certificate, create a PKCS#12 container (harmony-ap.p12) that includes the new key and certificate, and the certificate chain. Use the ap_keystore_password as the export password:

    openssl pkcs12 -export -in harmony-ap-new.crt -inkey harmony-ap-new.key -out harmony-ap.p12 -name <cert_alias> -CAfile ca_bundle.crt -caname cacert

  1. Download (back up) the current Access Point keystore using the admin interface (Certificates > Keystore)

  2. Upload the new harmony-ap.p12 PKCS#12 container into the Access Point (Certificates > Keystore)

  3. Check that the log file (/var/log/harmony-ap/catalina.out) doesn't contain any sign key related errors.

  4. In case something goes wrong, restore the original keystore.

Related articles