Replacing the default SSL certificate for the Device, Alert, or Web server with a certificate from an external certificate authority

To replace the default SSL certificate for the device, alert, or web server, with a certificate from an external certificate authority, use the Keytool cmd.

If you have strong security requirements, you might want to replace the default certificate for the Web server, with a certificate from an external certificate authority so that you can securely connect to the Web server while you use the https protocol. When you replace the existing certificate, it can remove web browser certificate error warnings.

Note: The <installation_dir> in the following commands must be replaced with correct IBM Spectrum® Control installation directory. Default installation directory for Windows is C:\Program Files\IBM\TPC and for Linux is /opt/IBM/TPC.

Log on to the server where IBM Spectrum Control is installed. Ensure that you log on with the appropriate user privileges.
Java comes with a utility named keytool that you can use to create and edit keystore files.
- For the Windows operating system, open the command prompt and navigate to <installation_dir>\jre\bin directory:
```
cd "<installation_dir>\jre\bin"
```
- For AIX® or Linux® operating system, enter the following command:
```
cd "<installation_dir>/jre/bin"
```
Complete the following tasks:
1. Enter the following command to export the default SSL certificate from the alert server keystore.
  For Windows operating system, enter the following command:
```
keytool.exe -exportcert -alias default 
-keystore "installation_dir\wlp\usr\servers\alertServer\resources\security\key.p12" -storetype pkcs12 
-storepass alert_server_keystore_password -file alertServer.cert
```
  Where, alert_server_keystore_password is the alert server keystore password and the default value for this password is default.
  For AIX® or Linux® operating system, enter the following command:
```
./keytool -exportcert -alias default 
-keystore installation_dir/wlp/usr/servers/alertServer/resources/security/key.p12 -storetype pkcs12 
-storepass alert_server_keystore_password -file alertServer.cert
 
```
  Where, alert_server_keystore_password is the alert server keystore password and the default value for this password is default.
2. Enter the following command to export the default SSL certificate from the device server keystore.
  For Windows operating system, enter the following command:
```
keytool.exe -exportcert -alias default 
-keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -storetype pkcs12 
-storepass device_server_keystore_password -file deviceServer.cert
```
  Where, device_server_keystore_password is the device server keystore password and the default value for this password is default.
  For AIX® or Linux® operating system, enter the following command:
```
./keytool -exportcert -alias default 
-keystore installation_dir/wlp/usr/servers/deviceServer/resources/security/key.p12 -storetype pkcs12 
-storepass device_server_keystore_password -file deviceServer.cert
 
```
  Where, device_server_keystore_password is the device server keystore password and he default value for this password is default.
3. Enter the following command to export the default SSL certificate from the web server keystore.
  For Windows operating system, enter the following command:
```
keytool.exe -exportcert -alias default 
-keystore "installation_dir\wlp\usr\servers\webServer\resources\security\key.p12" -storetype pkcs12 
-storepass web_server_keystore_password -file webServer.cert
```
  Where, web_server_keystore_password is the web server keystore password and the default value for this password is default.
  For AIX® or Linux® operating system, enter the following command:
```
./keytool -exportcert -alias default 
-keystore installation_dir/wlp/usr/servers/webServer/resources/security/key.p12 -storetype pkcs12 
-storepass web_server_keystore_password -file webServer.cert
```
  Where, web_server_keystore_password is the device server keystore password and he default value for this password is default.
Complete the following tasks to delete the previous IBM Spectrum Control certificate:
1. Enter the following command to delete the previous IBM Spectrum Control Device server SSL certificate from the IBM Spectrum Control
  For Windows operating system, enter the following command:
```
keytool.exe -delete -alias default -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -storepass keystore_password
```
  Where, keystore_password is the IBM Spectrum Control keystore password and the default value for this password is default.
  For AIX or Linux operating system, enter the following command:
```
./keytool -delete -alias default -keystore installation_dir/wlp/usr/servers/deviceServer/resources/security/key.p12 -storepass keystore_password
```
  Where, keystore_password is the IBM Spectrum Control device server keystore password and the default value for this password is default.
2. Enter the following command to delete the previous IBM Spectrum Control alert server SSL certificate from the IBM Spectrum Control data collector trusted certificates.
  For Windows operating system, enter the following command:
```
keytool.exe -delete -alias default -keystore "installation_dir\wlp\usr\servers\alertServer\resources\security\key.p12" -storepass keystore_password
```
  Where, keystore_password is the IBM Spectrum Control alert server keystore password and the default value for this password is default.
  For AIX or Linux operating system, enter the following command:
```
./keytool -delete -alias deviceServer -keystore installation_dir/wlp/usr/servers/alertServer/resources/security/key.p12 -storepass keystore_password
```
  Where, keystore_password is the IBM Spectrum Control alert server keystore password and the default value for this password is default.
3. Enter the following command to delete the previous IBM Spectrum Control web server SSL certificate from the IBM Spectrum Control
  For Windows operating system, enter the following command:
```
keytool.exe -delete -alias default -keystore "installation_dir\wlp\usr\servers\webServer\resources\security\key.p12" -storepass keystore_password
```
  Where, keystore_password is the IBM Spectrum Control web server keystore password and the default value for this password is default.
  For AIX or Linux operating system, enter the following command:
```
./keytool -delete -alias default -keystore installation_dir/wlp/usr/servers/webServer/resources/security/key.p12 -storepass keystore_password
```
  Where, keystore_password is the IBM Spectrum Control web server keystore password and the default value for this password is default.
Create a keystore by using the following command (replace the italicized options in the following examples with the options for your keystore):
```
keytool.exe –genkey –alias default -keyalg RSA
–keystore <path_to_the_keystore_being_created> –keysize 2048
```
Where, path_to_the_keystore_being_created is the location of key.p12 file for alert, device and web server respectively.
Repeat the command for each of the server for which you want to create a new keystore.
For example to create keystore for device server, use the following commands:
For Windows operating system, enter the following command:
```
keytool.exe –genkey –alias default -keyalg RSA –keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" –keysize 2048
```
For AIX® or Linux® operating system, enter the following command:
```
./keytool –genkey –alias default -keyalg RSA –keystore "installation_dir/wlp/usr/servers/deviceServer/resources/security/key.p12" –keysize 2048
```
Note: The example mentioned is for device server. Similarly you can perform for alertServer and webServer.
When you are prompted, type a password for the keystore that you are creating.

Note: This password is required when you replace the keystore on the management node and for each subsequent keytool command that you run against the created keystore.
When you are prompted, type your organization and location information.
When you are prompted, type a password for the keystore alias.

Note: The keystore alias password can be the same as the previous password that you created.
After the keystore has been created, use the following command to issue a Certificate Signing Request (CSR) for the keystore (replace the italicized options in the following examples with the options for your keystore):
```
keytool -certreq -alias <keystore_alias> -keystore <path_to_the_keystore> 
-file <path_to_the_csr_file_being_created>
```
For example:
```
keytool -certreq -alias default -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12" -file mydomain.csr
```
Note: The example mentioned is for device server. Similarly you can perform for alertServer and webServer.
The Certificate Signing Request that you generated can be submitted to a CA to create a certificate signed by the CA. Send the certificate-signing request file to the CA; see the CA website for specific instructions about requesting a new certificate. You can request either a test certificate or a production certificate from the CA. However, in a production environment, you must request a production certificate.

Important: Before completing the following steps, the signed certificates must be returned from the CA.
Install the CA root and any intermediate certificates into the keystore; then, install the generated server certificate into the keystore. These certificates can be acquired from the CA used to generate the server certificate.
1. To install root and intermediate certificates (start with the root certificate first), run the following command (replace the italicized options in the following examples with the options for your keystore):
```
keytool -import -trustcacerts -alias <root_certificate_alias> -file 
<path_to_the_root_certificate> -keystore <path_to_the_keystore>
```
  For example:
```
keytool -import -trustcacerts -alias root -file root.crt -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12"
```
  Where root.crt is the CA root or intermediate certificate and key.jks is the name of the previously generated keystore.
  Note: The example mentioned is for device server. Similarly you can perform for alertServer and webServer.
2. When you are prompted, select to trust the certificate being installed.
3. Repeat steps a and b for each certificate in the certificate chain.
4. Import the server certificate that was returned from the CA by running the following command (replace the italicized options in the following examples with the options for your keystore):
```
keytool -import -trustcacerts -alias <server_certificate_alias> -file 
<path_to_server_certificate> -keystore <path_to_the_keystore>
```
  For example:
```
keytool -import -trustcacerts -alias default 
-file mydomain.crt -keystore "installation_dir\wlp\usr\servers\deviceServer\resources\security\key.p12"
```
  Where the alias used is the alias for the server certificate, and the file provided is the server certificate file.
  Note: The example mentioned is for device server. Similarly you can perform for alertServer and webServer.
Stop and start the device, alert, or web server.