This article is intended as a guide for applying certificates generated outside of the usual CBA process, e.g. a CSR generated by FAS. In this example, we will import an existing wild card security certificate (such as *.cafex.com) into a FAS server in the CaféX DNS domain.
WARNING - This procedure has the potential to be destructive, while we will take a backup of the system below we also recommend a server state backup is made before attempting.
It is assumed you have:
- A directory on the server (mkdir /opt/certs/) with the 3 files listed below.
- Wildcard certificate for *.yourdomain.com, e.g wildcard-server.crt. It is advised that this cert includes the bundle cert also. See Creating all.crt to include bundle certificates with server certificate for more details.
- The Webserver private key, e.g websvr.key.
- importKeyPair.sh script attached to this article.
Please ensure that the certificate and key files are in Unix format. If they are in Dos format (denoted by [DOS] at the bottom of the screen if you open the file in 'vi editor'), then it would give errors when you try to import it.
You can convert a file from DOS format to Unix format by using the 'dos2unix' command.
If the 'dos2unix' command is not available, you can do the following:
- Open the file in 'vi editor'
- In Escape mode, set the following :set fileformat=unix
- Save and close the file
Once you have these files in place on the server (use /opt/certs/) follow the below.
Step 1.Stop FAS and backup the existing install directory
Backup existing installation:
- Stop FAS service fas stop
- cp -Rp /opt/cafex/FAS-<version> /opt/cafex/FAS-<date>-<version>
- Start FAS: service fas start
Step 2. Remove the existing keypairs for https on the main-loadbalancer-group and the mgmt-server-group.
Navigate to the AS server admin console:
https://<your-server>:9990/console/ --> Profiles --> Management --> Trust Management --> ID Certificates --> main-loadbalancer-group --> https --> remove
Then repeat for the mgmt-server-group.
https://<your-server>:9990/console/ --> Profiles --> Management --> Trust Management --> ID Certificates --> mgmt-server-group --> https --> remove
NOTE - DO NOT RESTART FAS OR YOUR SERVER AT THIS POINT AS IT WILL HAVE NO HTTPS CERTIFICATES TO SERVE WEB PAGES.
Step 3. Create new https keypairs on the main-loadbalancer-group and the mgmt-server-group using the wildcard cert and webserver key.
NOTE ** REMEBER to use the actual name of your certificates & passwords, do not copy & paste commands from below:
- Copy the importKeyPair.sh script attached to /opt/certs & run the following commands
- Ensure your .crt and .key files are in the same folder as importKeyPair.sh, or that the path to these files is accurate.
- chmod +x /opt/certs/importKeyPair.sh
- Create the main-loadbalancer-group https by following Step 5 below:
- ./importKeyPair.sh -g main-loadbalancer-group -n https -p changeit -k websvr.key -c wildcard-server.crt -u administrator -a administrator (should return success response)
- Create the mgmt-server-group https by following Step 7 below:
- ./importKeyPair.sh -g mgmt-server-group -n https -p changeit -k websvr.key -c wildcard-server.crt -u administrator -a administrator (should return success response)
- now restart FAS: service fas restart
Procedure complete, if you received an error message instead of a success please follow the restore procedure below.
Note browsers needed to be restarted to pick up the new cert.
- Stop FAS: service fas stop
- Move old FAS directory: mv /opt/cafex/FAS-<version> /opt/cafex/FAS-failed-cert
- Rename backup: mv /opt/cafex/FAS-<date> /opt/cafex/FAS-<Version> (you can get version from cat /etc/fas.conf)
- Start FAS: service fas start.
Common Problems, Issues & Error Messages
- "Failed to import key pair: JBAS014746: public-cert-encoded may not be null"
- Please ensure that the .crt and .key files are located in the same folder as importKeyPair.sh or that the path to these files is accurate.
- "JBAS014803: Duplicate resource"
- This error is due to the .crt you are attempting to import already existing within the FAS certificate store, please remove the previous certificate before applying.