Import a SSL Certificate to DMC

A self-signed certificate is established during installation. Typically a warning regarding this certificate appears upon opening DMC. To complete the requirements for SSL (and eliminate the warning), you need to create and load your own SSL certificate. It must be signed by a root authority that is trusted by your network.

Tip: It is strongly recommended to obtain and import a certificate by a certified authority. Learn how to do so here: Manage your default ports and HTTP protocols

If you must import a public and private key pair, follow the below instructions to do so.

Load the SSL Certificate into DMC

Java's keytool CLI, which ships with DMC, can manage a keystore (database) of cryptographic keys, X.509 certificate chains, and trusted certificates.

Ultimately, the keystore.p12 file in DATICAL_HOME/data/datical-service/ needs to have the signed public key, private key, and certificate chain included in it under the alias "datical" with a password of “datical”.

Tip: It is usually best to make a backup of the original file before working with it.

  1. Copy the converted certificate and private key into a PKCS 12 (.p12) file to DATICAL_HOME/data/datical-service on the DMC server.

  2. Run:
    • If you are in demo mode you can stop all services at once:
      datical-control service stop all
    • If you are in production mode you must stop each service individually:
      sudo datical-control service stop proxy
      sudo datical-control service stop datical-service
      sudo datical-control service stop keycloak
  3. Delete a certificate that came with DMC: 
    DATICAL_HOME/jre/bin/keytool -delete -alias datical -keystore keystore.p12
  4. Import the PKCS 12 certificate by executing the following command:
    DATICAL_HOME/jre/bin/keytool -importkeystore -deststorepass datical -destkeystore DATICAL_HOME/data/datical-service/keystore.p12 -srckeystore DATICAL_HOME/data/datical-service/domain.p12 -srcstoretype PKCS12
  5. Run:
    datical-control service start all

Note: Below is a step-by-step example that covers how to create a SSL Certificate, sign it with your own certificate authority (CA), and convert to PKCS 12 file.

Tip: The PKCS12 Keystore format is preferable in DMC when you need to replace both private and public key pairs in the Keystore.

If you only need to import a signed certificate based on a DMC certificate request, then use the certificate in the pem or p7b format. Learn how to do so here: Manage your default ports and HTTP protocols

The process to generate a certificate varies based on your network setup, tools you use, and trusted authorities. Consult your system administrator or security administrator for the process used at your site.

Note: The following example is for illustration only.

  1. Create both the private key and CSR in a separate folder:
    2. mkdir ~/certs && cd ~/certs
    openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

Create a CA-Signed Certificate With Our Own CA

We can be our own certificate authority (CA) by creating a self-signed root CA certificate, and then installing it as a trusted certificate in the local browser.

  1. Create a private key (ca.key) and a self-signed root CA certificate (ca.crt) from the command line:
    2. mkdir ~/ca && cd ~/ca
    openssl req -newkey rsa:2048 -nodes -keyout ca.key -x509 -days 3654 -out ca.crt

Sign Our CSR With Root CA

  1. Then sign our CSR (domain.csr) with the root CA certificate and its private key:
    2. openssl x509 -req -in ~/certs/domain.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out domain.crt -days 365

    The CA-signed certificate is located in the domain.crt file successfully.

Convert the signed certificate and private key to PKCS 12

Private key information cannot import directly to a Keystore using a CLI keytool. Instead, it is necessary to convert the certificate and private key into a PKCS 12 (.p12) file, and then import the PKCS 12 file into DMC keystore.

  1. Execute the command:
    2. openssl pkcs12 -export -in domain.crt -inkey ~/certs/domain.key -name [hostname] -out domain.p12

Useful commands that may help during the process

  • Move an existing keystore entry from the specified alias to datical alias:
    • DATICAL_HOME/jre/bin/keytool -changealias -alias [oldalias] -destalias datical -keystore keystore.p12
  • Changes the password used to protect the integrity of the keystore contents to datical
    • DATICAL_HOME/jre/bin/keytool -storepasswd -keystore keystore.p12
  • Regenerate the DMC HTTPS keys:
    • datical-control https regenerate-keys