How to Change Access Point Sign Certificate?

By default, the Access Point has a self-signed sign certificate that's automatically generated during the Access Point installation process. Uploading a new certificate is possible using the Access Point UI (PMode → Parties → Select party → Edit → Certificate → Import). However, recreating the private key and applying for a new certificate is not possible through the Access Point UI. Instead, the operation requires shell access to the Access Point.

Step-by-step guide

The Access Point sign certificate can be changed by following the steps described below.

1. First, take backup copy of the keystore file:

   cp -a /etc/harmony-ap/ap-keystore.jks /etc/harmony-ap/ap-keystore.jks.bak

2. Generate a new private key and certificate signing request (CSR) by running the command:

   openssl req -x509 -newkey rsa:3072 -keyout harmony-ap-new.key -out harmony-ap-new.crt -days 365 -nodes

3. Enter your CSR details.

4. Locate and open the newly created CSR ("/etc/harmony-ap/harmony-ap-new.crt") in a text editor and copy all the text including:

   /etc/harmony-ap/harmony-ap-new.crt

   -----BEGIN CERTIFICATE REQUEST-----
   And
   -----END CERTIFICATE REQUEST-----

5. Paste the contents of the CSR file in a local text file on your workstation.
6. Purchase a certficate from a trusted Certificate Authority (CA) using the CSR file.
7. Once the CA has issued the certificate, rename the certificate file to "harmony-ap-new.crt", and copy it to "/etc/harmony-ap/" directory on the Access Point.

8. Create a PKCS#12 container ("/etc/harmony-ap/harmony-ap.p12") that includes the new key and certificate, and the certificate chain. Write down the container password ("<container_password>").

   The "<cert_alias>" placeholder MUST be replaced with the party name of the key owner. More information about the alias is available here.

   openssl pkcs12 -export -in harmony-ap-new.crt -inkey harmony-ap-new.key -out harmony-ap.p12 -name <cert_alias> -CAfile ca_bundle.crt -caname cacert

9. Check the password of the keystore file from the "/etc/harmony-ap/domibus.properties" configuration file. The password is stored in the "domibus.security.keystore.password" property. Write down the password ("<ap_keystore_password>").

10. Import the PKCS#12 container into the Access Point keystore.

    The "<cert_alias>" placeholder MUST be replaced with the party name of the key owner. More information about the alias is available here.

    keytool -J-Dkeystore.pkcs12.legacy -importkeystore -deststorepass <ap_keystore_password> -destkeypass <ap_keystore_password> -destkeystore /etc/harmony-ap/ap-keystore.jks -srckeystore /etc/harmony-ap/harmony-ap.p12 -srcstoretype PKCS12 -srcstorepass <container_password> -alias <cert_alias>

11. Update the file permissions.

    chown -R harmony-ap:harmony-ap /etc/harmony-ap
    chmod -R 0751 /etc/harmony-ap

12. Restart the "harmony-ap" service.

    systemctl restart harmony-ap

13. Check that the log file ("/var/log/harmony-ap/catalina.out") doesn't contain any sign key related errors.
14. In case something goes wrong, restore the original files, and restart the "harmony-ap" service.

Related articles

• Page:
  How to Enable Logging of Full Messages for Debugging?
• Page:
  How to Configure TLS Authentication with the Web Service Plugin?
• Page:
  Harmony eDelivery Access - Access Point v2.2.2 Release Notes
• Page:
  Harmony eDelivery Access - Access Point v2.2.0 Release Notes
• Page:
  How to Change Access Point TLS Certificate (version 2.2.0 and later)?