Applies To:
Current versions of TPP
Summary:
Trust Protection Platform web services including Aperture, WebAdmin, WebSDK, and ACME are typically secured using a certificate issued by an enterprise PKI. This means that your workstation or server will not trust the certificate by default because only public CA root certificates are distributed with operating systems and applications as part of each vendor’s trusted root certificates program. To establish trust you must import the root CA certificate from the trust chain that issued your Trust Protection Platform web certificate in the trust store for your operating system or application (note: many command line utilities like VCert, OpenSSL and cURL allow you to specify a PEM trust bundle so for those simply add the root CA certificate to the bundle file).
More Info:
macOS X
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/enterprise-root.crt
Windows (not typically needed because Active Directory Group Policy maintains the CAPI trust store; can also be done using MMC snap-in)
certutil -addstore -f "ROOT" enterprise-root.crt
Linux – Ubuntu and Debian
sudo cp enterprise-root.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
Linux – CentOS, Fedora, and RedHat
sudo yum install ca-certificates
sudo update-ca-trust force-enable
sudo cp enterprise-root.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract
Linux – openSUSE and SUSE 12 (and higher)
sudo cp enterprise-root.crt /etc/pki/trust/anchors/
sudo update-ca-certificates
Linux – SUSE 11
sudo cp enterprise-root.crt /etc/ssl/certs/
sudo c_rehash /etc/ssl/certs
Java (the cacerts file that applies to your application can be in various locations so make sure to identify the correct one)
keytool -import -trustcacerts -alias enterprise-root -file enterprise-root.crt \
-keystore /usr/java/default/lib/security/cacerts -storepass changeit
You should only add certificates to your trust store that are approved by your organization’s security policy. If you’re unsure whether a certificate is approved or you are not able to locate the root certificate you need for connecting to Trust Protection Platform, contact your Information Security department. Self-signed certificates should never be used for the web services of a production Trust Protection Platform installation.
Comments