How to Change Access Point Sign Certificate?
By default, the Access Point has a self-signed sign certificate that's automatically generated during the Access Point installation process. Uploading a new certificate is possible using the Access Point UI (PMode → Parties → Select party → Edit → Certificate → Import). However, recreating the private key and applying for a new certificate is not possible through the Access Point UI. Instead, the operation requires shell access to the Access Point.
Step-by-step guide
The Access Point sign certificate can be changed by following the steps described below.
First, take backup copy of the keystore file:
cp -a /etc/harmony-ap/ap-keystore.jks /etc/harmony-ap/ap-keystore.jks.bak
Generate a new private key and certificate signing request (CSR) by running the command:
openssl req -x509 -newkey rsa:3072 -keyout harmony-ap-new.key -out harmony-ap-new.crt -days 365 -nodes
- Enter your CSR details.
Locate and open the newly created CSR ("/etc/harmony-ap/harmony-ap-new.crt") in a text editor and copy all the text including:
/etc/harmony-ap/harmony-ap-new.crt-----BEGIN CERTIFICATE REQUEST----- And -----END CERTIFICATE REQUEST-----
- Paste the contents of the CSR file in a local text file on your workstation.
- Purchase a certficate from a trusted Certificate Authority (CA) using the CSR file.
- Once the CA has issued the certificate, rename the certificate file to "harmony-ap-new.crt", and copy it to "/etc/harmony-ap/" directory on the Access Point.
Create a PKCS#12 container ("/etc/harmony-ap/harmony-ap.p12") that includes the new key and certificate, and the certificate chain. Write down the container password ("<container_password>").
The "<cert_alias>" placeholder MUST be replaced with the party name of the key owner. More information about the alias is available here.
openssl pkcs12 -export -in harmony-ap-new.crt -inkey harmony-ap-new.key -out harmony-ap.p12 -name <cert_alias> -CAfile ca_bundle.crt -caname cacert
- Check the password of the keystore file from the "
/etc/harmony-ap/domibus.properties
" configuration file. The password is stored in the "domibus.security.keystore.password
" property. Write down the password ("<ap_keystore_password>"). Import the PKCS#12 container into the Access Point keystore.
The "<cert_alias>" placeholder MUST be replaced with the party name of the key owner. More information about the alias is available here.
keytool -J-Dkeystore.pkcs12.legacy -importkeystore -deststorepass <ap_keystore_password> -destkeypass <ap_keystore_password> -destkeystore /etc/harmony-ap/ap-keystore.jks -srckeystore /etc/harmony-ap/harmony-ap.p12 -srcstoretype PKCS12 -srcstorepass <container_password> -alias <cert_alias>
Update the file permissions.
chown -R harmony-ap:harmony-ap /etc/harmony-ap chmod -R 0751 /etc/harmony-ap
Restart the "harmony-ap" service.
systemctl restart harmony-ap
- Check that the log file ("/var/log/harmony-ap/catalina.out") doesn't contain any sign key related errors.
- In case something goes wrong, restore the original files, and restart the "harmony-ap" service.
Related articles