How to import a signed certificate that contains the full chain of trust and private key into DPA - Linux

In some cases a customer s CA will have already provided a signed certificate. Some customer s procedures require that they generate\retrieve a certificate in this way. It typically happens when the CA is issuing a wildcard certificate or when a sever goes by multiple domain names.

In these cases, it may be possible to simply import the signed certificate into apollo.keystore, if and only if, the signed certificate they ve received contains the full certificate chain and private key.
Certificate formats which can contain the private key are listed below:
PKCS#12 (.pfx or .p12)- can store the server certificate, the intermediate certificate and the private key in a single .pfx file with password protection. Since these files contain the full chain and the private key, you will be able to import it directly into apollo.keystore, but remember you will need the alias and alias password to do so (the owner of the certificate should have this information).

PEM (.pem, .crt, .cer, or .key)- can include the server certificate, the intermediate certificate and the private key in a single file. The server certificate and intermediate certificate can also be in a separate .crt or .cer files and the private key can be in a .key file. If the server\intermediate certificates and key are separate, this will not suffice to import directly.

You can check by opening the certificate file in a text editor. Each certificate is contained between the ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE---- statements. The private key is contained between the ---- BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- statements. Ensure that the number of certificates contained in ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE---- statements matches the number of certificates in the chain (server and intermediate) and ends with ---- BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY. If the file does not contain the full certificate chain and private key, the certificate will need to be imported into the keystore it was generated from. If you are unsure about the certificate chain see https://support.emc.com/kb/532108

Once you have verified that you have the full certificate chain and private key in one file, you should have everything you need to import with the following steps:

1. Make a copy of the apollo.keystore and standalone.xml files from dpa/services/standalone/configuration and the application-service.conf file from dpa/services/executive. In the event that you need to revert back to the original configuration, you can use these files to restore DPA to working order.  Place the copies in a folder on the desktop for safe keeping and to avoid confusion.

2. Open the copy of the standalone.xml file and search for 'key-alias'. You should see a line containing the key-alias and password like this:  
3. Run the following command from the DPA install directory in services/_jre/bin:
./keytool -importkeystore -srckeystore "/opt/emc/dpa/services/standalone/configuration/wildcard.pfx" -srcstoretype pkcs12 -destkeystore "/opt/emc/dpa/services/standalone/configuration/apollo.keystore" -deststoretype JKS

Note: You will need to specify the correct location of the signed certificate file (srckeystore) and apollo.keystore (destkeystore). See the example below for more information on what you will be asked to enter:  
4. List the contents of apollo.keystore to verify that the signed certificate was imported correctly:
5. Restart application services and attempt to log into the GUI.** In the event that restarting services produces an error, app svc fail to start, or you cannot access the GUI at this point: