Unable to change certificate used by SSPR Appliance

  • 7022716
  • 07-Mar-2018
  • 07-Mar-2018

Environment

Self Service Password Reset
SSPR 4.2
SSPR Appliance Configuration

Situation

Unable to activate new certificate on SSPR Appliance 
Can't change active cert in Appliance Configuration menu
Certificate can be imported but cannot be made active 
Self Signed Cert remains the active cert after importing new certificate


Resolution

Re-import the new certificate as a key pair.  In other words, import the cert as a pfx / p12 file.
Certificate has been added as a Trusted certificate, not as a key pair. 




Note:  If the p12/ pfx file does not include all the certificates in the chain, the missing root certs  will need to be imported into the SSPR appliance as trusted certs before they import the pfx/p12 file. This is done from the SSPR Appliance Certificates page.  Selete "JVM Certificates" from the Key Store drop down.

Cause

The customer had imported the public-key certificate, not the required p12 or pfx file.  P12 and pfx files contain both the private-key and the public-key certificate. The SSPR Appliance requires both private and public keys.  

Additional Information


Steps to duplicate:
Access SSPR Appliance port (9443).   
In the Appliance Configuration menu, select “appliance certificates”
Select  “Web Application Certificates” from the  drop down
The self-signed cert that ships with the product is the only one that shows
Select file, import, and import the new cert
Select the new certificate, click Set as Active, then click Yes.

** The self signed cert remains "dark" (active) and the new cert remains grayed out.

• Pop-up notice is received saying the self signed cert is in use and services must be restarted  
Click close to exit Digital Certificates.
Reboot the SSPR Appliance
Go back into the appliance certificates menu, and the self signed cert still shows as the active certificate. 
Repeat the above steps and same result is received. We are not able to make the new cert the active certificate.

In this case the problem was seen with a wild card certificate.