Import certificates into the truststore

About this task

You can use Certman to import a CA chain into the truststore of the Dynamic Workload Console, of a master domain manager or of an agent.

If certificates being imported are part of a chain consisting of 3 or more certificates (one Root CA, followed by one or more Intermediate CAs, followed by the end user certificate), then the ca.crt must contain the Root ca certificate only. Any Intermediate CA certificates must be stored in the additionalCAs subfolder, which therefore becomes a mandatory subfolder. Each Intermediate CA must be stored in the additionalCAs subfolder in its own file.

Note: From V10.2.3, if certificates being imported are part of a chain, the ca.crt can contain also the intermediate CAs. In this case, it must begin with one or more intermediate CA certificates and end with the Root ca.

Procedure

Browse to one of the following installation bin paths, according to the component on which you want to import the CA chain:

Master domain manager

<MDM_INST_PATH>/TWS/bin/certman, where <MDM_INST_PATH> is the master domain manager installation directory.

Dynamic Workload Console

<DWC_INST_PATH>/bin/certman, where <DWC_INST_PATH> is the Dynamic Workload Console installation directory.

Agent

<AGENT_INST_PATH>/TWS/bin/certman, where <AGENT_INST_PATH> is the agent installation directory.
Import the CA chain by running the following command:
```
certman import (-inpath <input path> [-storepasswd <store pwd>][-all -keypasswd <key pwd>]|-url <host:port> -storepasswd <store pwd>) -alias <alias> [-forcealias] [-agentscope] [-updatedepot] [-workdir <working directory>]
```
Where:
inpath

Specify the folder that contains the CA chain.

storepasswd
Optionally, specify the password of the truststore on the master domain manager.
Note: If the password contains wildcards, enclose the password in single quotes. For example:
-keypasswd 'passw!rd'
all
Optionally, import the certificate, the key and the CA chain.

keypasswd

Specify the password used to encrypt the private key. If all is specified, this value is mandatory. The password requires a length of at least 8 characters.
Note: If the password contains wildcards, enclose the password in single quotes. For example:
-keypasswd 'passw!rd'
url

The URL of a server that contains the CA chain to be imported (for example, the master domain manager server).

Where

host

The fully qualified host name or IP address of the server.

port

The HTTPS port.

alias

Specify an alias to be used in the truststore file during the import.

forcealias

Optionally, specify an alias to be used in the truststore file that overwrites the existing alias. Use this parameter if the master domain manager already communicates with the Dynamic Workload Console.

agentscope

Optionally, add the parameter to the command to extract certificates from the keystore of the agent on which you are launching Certman.
Note: To target the truststore of a master domain manager, omit the agentscope option and run the command separately.

updatedepot

Optionally, add the parameter to the command to update the master domain manager depot folder located at: <TWSDATA>/ssl/depot

workdir

Optionally, specify the working directory used by the command for storing data while running. When the command stops running, the working directory is deleted. Ensure you have write access to the specified directory and enough space is available.

Results

The CA chain has been imported in the Dynamic Workload Console, master domain manager or agent.