How to configure UMP/wasp to use SSL certificates with a Subject Alternate Name

Document ID : KB000016748
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

We use https://hostname.domain.com for our UMP, and DNS also allows https://hostname/.  We would like to implement a single SSL certificate to cover both cases. How can this be accomplished?

Answer:

The following (high level overview) steps will be necessary to make this work.  For specifics, see the product documentation.

 

1. reinitialize the keystore 
2. delete the "wasp" alias from the keystore 
3. Generate a key pair, but do NOT use the command from the docs: 

<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -genkeypair -alias wasp -keyalg RSA -keysize <key_size> -keystore wasp.keystore -validity <days_cert_is_valid> 

 

Instead, generate the keypair thusly (substituting the appropriate values for your domain): 

<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -genkeypair -alias wasp -keyalg RSA -keysize <key_size> -keystore wasp.keystore -dname "CN=hostname, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -ext SAN=dns:hostname.domain.com,ip:1.2.3.4 -validity <days_cert_is_valid> 

 

Note that you should not use "Unknown", but put the correct values for your organization.  The Country value (C) must be a two-letter country code.

 

You can verify the SAN was included by the following: 

keytool -list -v -keystore wasp.keystore 

Result should be something like: 

#1: ObjectId: 2.5.29.17 Criticality=false 
SubjectAlternativeName [ 
DNSName:hostname.domain.com 
IPAddress: 1.2.3.4 


Next, generate the CSR using the same -ext command, like this: 

 

<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool -certreq -alias wasp -validity <days_cert_is_valid> -keystore wasp.keystore -file <your_domain>.csr -ext SAN=dns:hostname.domain.com,ip:1.2.3.4 

 

Now you should have a valid CSR that contains the SAN. You can submit this to a signing authority to get a certificate back. 

 

Then you would simply import the resulting certificates like you normally would and that should solve the problem. 

Additional Information:

https://docops.ca.com/ca-unified-infrastructure-management/8-5-1/en/installing-ca-uim/optional-post-installation-tasks/configure-https-in-admin-console-or-ump/