Importing a CA-signed certificate or a certificate chain of trust

You can import a signed certificate or a certificate chain of trust by using the pending certificates link on the Welcome page of the graphical user interface or the Certificate Direct Import REST Service.

Before you begin

Before you begin, ensure that the alias of the incoming certificate matches the alias of a previous certificate signing request. Write the certificate file to a temporary directory.

Retrieve the alias of the original certificate signing request for use when you import the returned certificate, which must specify the correct alias.

To look up the X.500 subject name of a certificate signing request to determine whether it matches the X.500 subject name of the certificate, run the Certificate List REST Service, by specifying the state attribute with a value of pending.

To look at the subject name of the certificate file, you might take these steps:
  • Windows systems:

    Open the certificate file directly. A Windows native utility displays the information in the certificate in readable format.

  • Other systems:

    Import the certificate into IBM Security Guardium Key Lifecycle Manager by using a new alias. Then, run the Certificate List REST Service, specifying the alias to view the certificate information.

About this task

You can import a single end-entity certificate or a certificate chain of trust. A certificate chain of trust can include an end-entity certificate, one or more intermediate certificate authority (CA) certificates, and a root CA certificate. If you import and trust a certificate chain of trust, all the certificates in the chain are trusted.

Procedure

  • Using graphical user interface
    1. Log in to the graphical user interface. The Welcome page is displayed.
    2. In the Action Items section of the Welcome page, in the Key Groups and Certificates area, click Third-party certificates pending import.
    3. In the Pending Certificates table, select the pending certificate that you want to import.
    4. Click Import.
    5. Upload the returned certificate. The returned certificate can be an end-entity certificate or a certificate chain of trust.
      Note: If you import a certificate chain of trust, all the certificates in the chain are trusted.

      You can upload a certificate by using one of the following options:

      File
      Select this option to upload a certificate file. Click Browse to go to the directory where the certificate file is stored. Select the file and click Open.
      Certificate content
      Select this option to upload the certificate content. When you select this option, a text box is displayed. Enter the certificate content in the text box.

      Ensure that the certificate content includes BEGIN CERTIFICATE and END CERTIFICATE statements.

    6. Click Import.
  • Using REST interface
    1. Open a REST client. For more information, see Using Swagger UI.
    2. Authenticate and authorize to access the IBM Security Guardium Key Lifecycle Manager REST services. For more information, see Authentication process for REST services.
    3. Run the Certificate Direct Import REST Service.
      In the request body of the REST, you can select the certificate file or enter the certificate text. Specify the alias of the certificate. For the usage parameter, specify the value as SSLSERVER.

What to do next

After the certificate or certificate chain of trust is imported, it is listed in the server certificates table. To view the table, go to Advanced Configuration > System Certificates > Server Certificates. Use the options on the Server Certificates tab to manage the imported certificate or certificate chain of trust. For more information, see Managing server certificates

.