How To
Summary
Importing the certificate chain or a p7b certificate into IBM Resilient
Steps
If you obtain the intermediate certificate and root certificate with the server certificate from your certificate authority (CA), or if you obtain a p7b file from your CA, you can follow the following procedure to import the certificate to IBM Resilient.
1. Convert the certificate to a PEM certificate using one of the following ways based on what you have:
a. If you receive a PKCS7 file (.p7b file) encoded with DER which contains the certificate chain, run command:
openssl pkcs7 -in certificate.p7b -inform DER -print_certs -outform PEM -out chain_cert.pem
b. If you receive a PKCS7 file (.p7b file) encoded with PEM which contains the certificate chain, run command:
openssl pkcs7 -in certificate.p7b -inform PEM -print_certs -outform PEM -out chain_cert.pem
c. If you receive the server certificate, intermediate certificate and root certificate separately in PEM format, run command:
cat server_cert.pem inter_cert.pem root_cert.pem >> chain_cert.pem
d. If you receive the server certificate, intermediate certificate and root certificate separately in DER format, you need to convert them to PEM format and follow the above point C to create the chain certificate. The commands are:
openssl x509 -inform der -in certificate.cer -out certificate.pem
cat server_cert.pem inter_cert.pem root_cert.pem >> chain_cert.pem
2. Open the new generated "chain_cert.pem" by a text editor and delete everything outside -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- boundaries (keep only the encoded content within the boundaries, the certificates themselves) and save it.
The format of the "chain_cert.pem" file will look like:
-----BEGIN CERTIFICATE-----
CA File from CertNow Base64
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CA File from CertNow Base64
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
xx Actual Cert Base 64
-----END CERTIFICATE-----
3. Import the certificate by command:
sudo cert-import chain_cert.pem
4. Verify the certificate is available in keystore by command:
sudo keytool -list -v -keystore /crypt/certs/keystore -storepass "$(sudo resutil keyvaultget -name keystore)"
5. Restart Resilient service:
sudo systemctl restart resilient
If you are on Resilient v32 or a higher version, you also need to restart resilient-messaging service:
sudo systemctl restart resilient-messaging
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
19 April 2021
UID
ibm11160974