Data Protection Advisor (DPA): How to import a signed certificate that contains the full chain of trust and private key into DPA - Windows

In some cases, a user's Certificate Authority (CA) already has a provided signed certificate. Some user's procedures require that they generate\retrieve a certificate in this way. It typically happens when the CA is issuing a wildcard certificate or when a sever goes by multiple domain names.

In these cases, it may be possible to simply import the signed certificate into apollo.keystore, if and only if, the signed certificate they have received contains the full certificate chain and private key.

Certificate formats which can contain the private key are listed below:

• PKCS#12 (.pfx or .p12) can store the server certificate, the intermediate certificate, and the private key in a single .pfx file with password protection. Since these files contain the full chain and the private key, it is possible to import it directly into apollo.keystore, but remember the alias and alias password is needed to do so (the owner of the certificate should have this information).
• PEM (.pem, .crt, .cer, or .key) can include the server certificate, the intermediate certificate, and the private key in a single file. The server certificate and intermediate certificate can also be in a separate .crt or .cer files and the private key can be in a .key file. If the server\intermediate certificates and key are separate, this will not suffice to import directly.

Check by opening the certificate file in a text editor.

Each certificate is contained between the ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE---- statements.

The private key is contained between the ---- BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- statements.

Ensure that the number of certificates contained in ---- BEGIN CERTIFICATE---- and ----END CERTIFICATE---- statements matches the number of certificates in the chain (server and intermediate) and ends with ---- BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY.

If the file does not contain the full certificate chain and private key, the certificate must be imported into the keystore it was generated from. If you are unsure about the certificate chain, refer to KB article 532108: How to manually separate the server, intermediate, and root certificates from a single signed certificate    

Once the full certificate chain and private key are in one file is verified, everything that is needed to import the certificate into DPA via the following steps is provided:     

1. Make a copy of the apollo.keystore and standalone.xml files from dpa\services\standalone\configuration and the application-service.conf file from dpa\services\executive. In the event that you need to revert back to the original configuration, you can use these files to restore DPA to working order.  Place the copies in a folder on the desktop for safe keeping and to avoid confusion.
2. Open the copy of the standalone.xml file and search for 'key-alias'. A line containing the key-alias and password similar to this should be seen:    

3. Run the following command from the DPA install directory in services\_jre\bin:     

4. List the contents of apollo.keystore to verify that the signed certificate was imported correctly:    

5. Restart application services and attempt to log into the GUI. In the event that restarting services produces an error, app svc fail to start, or you cannot access the GUI at this point:   

• Open application-service.conf and search for 'apollo.key'. You should see that the alias has been updated to the alias you imported (in this case, wildcardalias).
• Open standalone.xml with a text editor and search for 'key-alias'. You should see a line similar to the one below that shows the alias you imported:   

1. Stop application services.
2. Edit and save the files.
3. Restart services.
4. If the issue persists, contact DPA support.