Info: Establishing Trust for Trust Protection Platform Web Services

Applies To:

Current versions of TPP


Trust Protection Platform web services including Aperture, WebAdmin, WebSDK, and ACME are typically secured using a certificate issued by an enterprise PKI.  This means that your workstation or server will not trust the certificate by default because only public CA root certificates are distributed with operating systems and applications as part of each vendor’s trusted root certificates program.  To establish trust you must import the root CA certificate from the trust chain that issued your Trust Protection Platform web certificate in the trust store for your operating system or application (note: many command line utilities like VCert, OpenSSL and cURL allow you to specify a PEM trust bundle so for those simply add the root CA certificate to the bundle file).

More Info:

macOS X

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/enterprise-root.crt

Windows (not typically needed because Active Directory Group Policy maintains the CAPI trust store; can also be done using MMC snap-in)

certutil -addstore -f "ROOT" enterprise-root.crt

Linux – Ubuntu and Debian

sudo cp enterprise-root.crt /usr/local/share/ca-certificates/

sudo update-ca-certificates

Linux – CentOS, Fedora, and RedHat

sudo yum install ca-certificates

sudo update-ca-trust force-enable

sudo cp enterprise-root.crt /etc/pki/ca-trust/source/anchors/

sudo update-ca-trust extract

Linux – openSUSE and SUSE 12 (and higher)

sudo cp enterprise-root.crt /etc/pki/trust/anchors/

sudo update-ca-certificates

Linux – SUSE 11

sudo cp enterprise-root.crt /etc/ssl/certs/

sudo c_rehash /etc/ssl/certs

Java (the cacerts file that applies to your application can be in various locations so make sure to identify the correct one)

keytool -import -trustcacerts -alias enterprise-root -file enterprise-root.crt \

        -keystore /usr/java/default/lib/security/cacerts -storepass changeit

You should only add certificates to your trust store that are approved by your organization’s security policy.  If you’re unsure whether a certificate is approved or you are not able to locate the root certificate you need for connecting to Trust Protection Platform, contact your Information Security department.  Self-signed certificates should never be used for the web services of a production Trust Protection Platform installation.


Was this article helpful?
1 out of 1 found this helpful