How to deploy a certificate issued by customer's internal Certification Authority into CA PAM?

Document ID : KB000014616
Last Modified Date : 24/07/2018
Show Technical Document Details
Introduction:

Customer has their own Certification Authority to issue certificates to their internal servers. Since this is an internal rootCA, it is not known by any standard browser nor the JVM, as well as it is unknown to CA PAM. In this article we will describe the steps you need to follow to import the certificate into CA PAM properly.

 

The steps on this article intend to work around the error "could not identify local issuer".

Question:

How to deploy a certificate issued by customer's internal Certification Authority into CA PAM?

Answer:

1. Export the root CA from the Certificate Authority and any intermediate CA that may be listed on the appliance certificate chain; 

2. Open the CA PAM client and navigate to Config / Security; 

3. Under Certificates, select CA Bundles and import the root CA and intermediate CA; 

4. Configure the CRL to Automatic, pointing to the rootCA CRL URL; 

5. Import the appliance certificate. Before importing, ensure that the certificate file name end in .crt and not .cer (or something else). The certificate, after being imported to CA PAM, must be listed as <filename>.crt - also, it is important to remember to set the certificate file with the same name as the CSR was set (for example, if you used the default value, the CSR was created as default.pem - so the certificate file must be imported as default.crt)

Additional Information:
See also

How to use MS PKI to sign the certificate request issued by Xsuite

https://comm.support.ca.com/kb/how-to-use-ms-pki-to-sign-the-certificate-request-issued-by-xsuite/kb000042197