On occasion you may need to re-generate the FAS keys and certificates, maybe you have installed a trials environment which does not have the correct IP in it's certificates, or maybe you intend to change the FDQN/IP that is used to access FAS requiring a similar change in the certificates also. I will refer to the certificate/keypair combination simply as the certificate for the remainder of the article for simplicity.
It is a simple matter to generate new certificates for use with FAS but bare in mind if you are using signed certificates in your environment you will need to get the newly generated certificates signed by the appropriate CA.
You normally only need to update the Load Balancer certificates as these are the certificates that will be presented to external entities communicating with FAS securely.
To generate a new Load Balancer certificate you need to do the following:
- Navigate to the JBoss admin console (https://<fas address>:9990)
- Select Profiles (top right)
- Select management in the Profile drop down menu (top left)
- Select Trust Management then ID Certificates in the left hand menu. You will presented with a page similar to the following:
- Ensure the main-loadbalancer-group is selected in the Identity Certificate Group table.
Note: FAS is configured to use certificates with the names/aliases https and sips for the different transport mechanisms. In order to generate new certificates for a particular transport you will need to remove the existing certificate and generate a new one with the same name.
- Click the certificate named after the transport for which you want to generate new certificates, e.g. https in the example screenshot above.
- Click Remove and confirm the removal in the dialog that appears.
- Click Generate Keypair.
- In the dialog that appears that appears enter the following:
- Name - This is the transport name, either https or sips
- Subject DN - This has the format CN=<FAS Address>, see screenshot above for example. This DN address will need to match the address external entities will use to access FAS.
- Expiry Date - The date you want the certificates to expire.
- Password - The FAS Security Password. The default can be found in the FAS Administering guide.
- Click Generate and the newly generates certificate will appear in the list.