Generate and import a host management certificate

Certificates identify website owners for secure connections between clients and servers. To generate and import Certificate Authority (CA) certificates for the host system where the Web Services Proxy is installed, you can use API endpoints.

Before you begin

  • You are logged in to the interactive API documentation.

About this task

To manage certificates for the host system, you perform the following tasks using the API:
Note: You can also manage certificates in the Unified Manager interface. For more information, see the online help available in Unified Manager.

Steps

  1. From the interactive API documentation, go to the drop-down menu in the upper right and then select v2.
  2. Expand the Administration link and scroll down to the /certificates endpoints.
  3. Generate the CSR file:
    1. Select POST:/certificates, and then select Try it out.
      The web server regenerates a self-signed certificate. You can then enter information in the fields to define the common name, organization, organization unit, alternate ID, and other information used to generate the CSR.
    2. Add the required information in the Example values pane to generate a valid CA certificate, and then execute the commands.
      Note: Do not call POST:/certificates or POST:/certificates/reset again, or you must regenerate the CSR. When you call POST:/certificates or POST:/certificates/reset, you are generating a new self-signed certificate with a new private key. If you send a CSR that was generated before the last reset of the private key on the server, the new security certificate does not work. You must generate a new CSR and request a new CA certificate.
    3. Execute the GET:/certificates/server endpoint to confirm that the current certificate status is the self-signed certificate with the information added from the POST:/certificates command.
      The server certificate (denoted by the alias “jetty”) is still self-signed at this point.
    4. Expand the POST:/certificates/export endpoint, select Try it out, enter a file name for the CSR file, and then click Execute.
  4. Copy and paste the fileUrl into a new browser tab to download the CSR file, and then send the CSR file to a valid CA to request a new web server certificate chain.
  5. When the CA issues a new certificate chain, use a certificate manager tool to break out the root, intermediate, and web server certificates, and then import them to the Web Services Proxy server:
    1. Expand the POST:/sslconfig/server endpoint and select Try it out.
    2. Enter a name for the CA root certificate in the alias field.
    3. Select false in the replaceMainServerCertificate field.
    4. Browse to and select the new CA root certificate.
    5. Click Execute.
    6. Confirm that the certificate upload was successful.
    7. Repeat the CA certificate upload procedure for the CA intermediate certificate.
    8. Repeat the certificate upload procedure for the new web server security certificate file, except in this step, select true on the replaceMainServerCertificate drop-down.
    9. Confirm that the web server security certificate import was successful.
    10. To confirm that the new root, intermediate, and web server certificates are available in the keystore, run GET:/certificates/server.
  6. Select and expand the POST:/certificates/reload endpoint, and then select Try it out. When prompted, whether you want to restart both controllers or not, select false. (True applies only in the case of dual array controllers.) Click Execute.
    The /certificates/reload endpoint usually returns a successful http 202 response. However, the reload of the web server truststore and keystore certificates does create a race condition between the API process and the web server certificate reload process. In rare cases, the web server certificate reload can beat the API processing. In this case, the reload appears to fail even though it completed successfully. If this occurs, continue to the next step anyway. If the reload actually failed, the next step also fails.
  7. Close the current browser session to the Web Services Proxy, open a new browser session, and confirm that a new secure browser connection to the Web Services Proxy can be established.
    By using an incognito or in-private browsing session, you can open a connection to the server without using any saved data from previous browsing sessions.