How to install and use a CA Certificate (.pfx) for CA Service Catalog

Service Catalog 17.0 and up.

For release 17.3 and upward, the CA-signed cert is already in the correct PKCS12 format, so rather than perform an export/import, rename it to casm.keystore, and then run the configurator Utility to register this alias.

https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/17-3/administering/enable-ssl-authentication-for-ca-service-management-solution/ssl-configurator-utility-wizard-for-ca-service-management.html

If you need to perform this manually, however, these steps exist:

1. "Create Keystore File"

keytool -genkey -alias alias_name -keyalg RSA -keystore "USM_HOME\.keystore" -keysize 1024

ensure .keystore is created in USM_HOME\.keystore

2. Copy pfx to %USM_HOME%

3. Run %USM_HOME%\usm.cmd

4. Type:

keytool -importkeystore -deststorepass <pfx_password> -destkeystore "%USM_HOME%\.keystore" -srckeystore <pfx_file> -srcstoretype PKCS12 -srcstorepass <pfx_password>

5. Set password in %USM_HOME%\viewService.conf:

wrapper.java.additional.11=-Djavax.net.ssl.trustPass=<pfx_password>

6. Set the path to the keystore:

wrapper.java.additional.10=-Djavax.net.ssl.trustStore="C:/Program Files/CA/Service Catalog/.keystore"

7. Open the .pfx and install on the machine. Export all the certificate chain and import into the keystore:

keytool -import -alias <alias_name> -file <certfile> -keystore <path_and_file_specification_for_keystore>

Example import 3 certificates:

keytool -import -alias root -file "C:\Users\Administrator\Desktop\Certificados\test\root.cer" -keystore "C:\Program Files\CA\Service Catalog\.keystore"
keytool -import -alias intermediate -file "C:\Users\Administrator\Desktop\Certificados\test\intermmediate.cer" -keystore "C:\Program Files\CA\Service Catalog\.keystore"
keytool -import -alias last -file "C:\Users\Administrator\Desktop\Certificados\test\last.cer" -keystore "C:\Program Files\CA\Service Catalog\.keystore"

8. Run a list command to get the alias of the pfx, which should be similar to:

keytool -list -v -keystore "C:\Program Files\CA\Service Catalog\.keystore" > list.txt

The alias id should be similar to:

le-c337f214-5606-4b20-bcc1-2af15b2a4f53

9. Remove the self-signed from the keystore:

keytool -delete -alias <alias_value_from_step1> -keystore "C:\Program Files\CA\Service Catalog\.keystore"

10. Go to %USM_HOME%\view\conf\server.xml and configure the following:


<Connector port="8443" enableLookups="false" tomcatAuthentication="false" maxHttpHeaderSize="20480"
maxThreads="400" minSpareThreads="25" maxSpareThreads="100" debug="0" connectionTimeout="15000"
disableUploadTimeout="true" compression="on" compressionMinSize="2048"
compressableMimeType="text/html,text/plain,text/xml,text/css,text/javascript,image/png,image/gif,image/jpeg,application/json"
scheme="https" secure="true" clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
keystoreFile="C:/Program Files/CA/Service Catalog/.keystore" keyAlias="le-c337f214-5606-4b20-bcc1-2af15b2a4f53" keystorePass="password" URIEncoding="UTF-8/"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"/>

11. Start Catalog services.