Import certificates into the trustore

About this task

You can use Certman to import a CA chain into the truststore of the Dynamic Workload Console, of a master domain manager or of an agent.

If certificates being imported are part of a chain consisting of 3 or more certificates (one Root CA, followed by one or more Intermediate CAs, followed by the end user certificate), then the ca.crt must contain the Root ca certificate only. Any Intermediate CA certificates must be stored in the additionalCAs subfolder, which therefore becomes a mandatory subfolder. Each Intermediate CA must be stored in the additionalCAs subfolder in its own file.
Note: From V10.2.3, if certificates being imported are part of a chain, the ca.crt can contain also the intermediate CAs. In this case, it must begin with one or more intermediate CA certificates and end with the Root ca.

Procedure

  1. Browse to one of the following installation bin paths, according to the component on which you want to import the CA chain:
    Master domain manager
    <MDM_INST_PATH>/TWS/bin/certman, where <MDM_INST_PATH> is the master domain manager installation directory.
    Dynamic Workload Console
    <DWC_INST_PATH>/bin/certman, where <DWC_INST_PATH> is the Dynamic Workload Console installation directory.
    Agent
    <AGENT_INST_PATH>/TWS/bin/certman, where <AGENT_INST_PATH> is the agent installation directory.
  2. Import the CA chain by running the following command: 
    certman import (-inpath <input path> [-storepasswd <store pwd>][-all -keypasswd <key pwd>]|-url <host:port> -storepasswd <store pwd>) -alias <alias> [-forcealias] [-agentscope] [-updatedepot] [-workdir <working directory>]

    Where:

    inpath
    Specify the folder that contains the CA chain.
    storepasswd
    Optionally, specify the password of the trustore on the master domain manager.
    all
    Optionally, import the certificate, the key and the CA chain.
    keypasswd
    Specify the password used to encrypt the private key. If all is specified, this value is mandatory.
    url
    The URL of a server that contains the CA chain to be imported (for example, the master domain manager server).
    Where
    host
    The fully qualified host name or IP address of the server.
    port
    The HTTPS port.
    alias
    Specify an alias to be used in the truststore file during the import.
    forcealias
    Optionally, specify an alias to be used in the trustore file that overwrites the existing alias. Use this parameter if the master domain manager already communicates with the Dynamic Workload Console.
    agentscope
    Optionally, specify that the action performed by the command applies to the truststore of an agent.
    Note: To target the trustore of a master domain manager, omit the agentscope option and run the command separately.
    updatedepot
    Optionally, update the master domain manager depot folder located at: <TWSDATA>/ssl/depot
    workdir
    Optionally, specify the working directory used by the command for storing data while running. When the command stops running, the working directory is deleted. Ensure you have write access to the specified directory and enough space is available.

Results

The CA chain has been imported in the Dynamic Workload Console, master domain manager or agent.