Uploading a Certificate Manually to a Virtual Appliance

Import a Certificate and Keychain to the Virtual Appliance

Important
When adding a certificate to the virtual appliance (VA), ensure that the certificate you copy is in Privacy-Enhanced Mail (PEM) format.

  • Before manually adding a new certificate for the source to your virtual appliance's truststore, ensure the following:

    • The virtual appliance (VA) is not connected to the source.

    • Connection testing between the source and VA is suspended.

    • Scheduled aggregations are temporarily paused, if necessary.

  • The source server has been configured for TLS.

  • The va-config-<va_id>.yaml file has been configured for your virtual appliance.

  • You must complete the following steps for every virtual appliance on the virtual appliance cluster connected to the source:

    1. Copy the PEM-encoded certificates to the /home/sailpoint/certificates directory. This directory might not be empty because it’s where the VA adds any certificates it gets from the source.

    2. Restart the CCG using the following command:

      sudo systemctl restart ccg

    3. Watch the /home/sailpoint/log/ccg-start.log file. If successful, the import should log messages from the form:

      {"@timestamp":"2017-04-21 06:57:12 +0000","level":"INFO","type":"ccg","message":"Checking CCG Sources certificates"}

      {"@timestamp":"2017-04-21 06:57:12 +0000","level":"INFO","type":"ccg","message":"Cert files found: [\"/home/sailpoint/certificates/411818.pem\"]"}

      06:57:12 +0000","level":"INFO","type":"ccg","message":"Importing cert /home/sailpoint/certificates/411818.pem"}

      Note

      If you see an error instead of the log messages above, this is an indication that your certificate is in an invalid format. Verify you're using a PEM format for your certificate and then try again.

    Sometimes the export of a certificate may not work properly with the VA. Using the openSSL command to get the certificate is a good way to get the latest certificate.

    1. Use the openSSL command to get the latest certificate:

      1. Run the following command in openSSL:

        openssl s_client -connect server.example.com:636 > output < /dev/null

      2. From the command output file, copy the certificate content between --BEGIN CERTIFICATE-- and --END CERTIFICATE--.

      3. Create a new file called cert.pem in the /home/sailpoint/certificates folder.

      4. Save the copied certificate contents in the new cert.pem file.

    2. Restart the CCG using the following command:

      sudo systemctl restart ccg