Add new certificates to trust store

Overview

This document provides examples on how to add certificates to the trust store.
Examples are provided for PAS and Apache.
For other solutions, please consult the documentation for that specific service.

Note:
Make sure to have a backup of the current trust store file, before adding certificates.

Requirements

  • PhenixID Server installed

PhenixID Server

PAS is, by default, using the cacerts file in the jre, shipped with the product, located in: <PASinstallationdir>/Server/jre/lib/security
Keytool can be used to add certificates to the store, like this example:
<PASinstallationdir>/Server/jre/bin/keytool -import -file <pathtocertificatefile>/certificate.cer -keystore <PASinstallationdir>/Server/jre/lib/security/cacerts" -alias myaliasforthecertificate

To verify that certificate has been added, use the following command:
keytool -list -keystore <pathto>/cacerts

NOTE:
If "CertificateValidatorValve" is used, verify the settings for parameters "trust_store_path" and trust_store_ref. Certificates should be added to the file specified in the path.

Apache

If Apache is used, locate the configuration/start file used for the installation.

On Linux it should be something according to this example:
/etc/apache2/sites-enabled/default-ssl.conf

And on Windows:
<apacheinstallationdir>\conf\extra\httpd-ssl.conf

Locate the line:
SSLCACertificateFile
Add the certificate(s) to the file set in “SSLCACertificateFile”.
For example, /etc/apache2/ssl.crt/ca-bundle.crt
This can be done using a text editor, openssl command, certutil or other tools of choice.