Using .P7B to put certificates to Gluu

By: Karl Jaro user 16 Mar 2017 at 6:08 p.m. CDT

7 Responses
Karl Jaro gravatar
Hello Gluu, I'm on my last step with the implementation of Google Apps SSO. I asked our IT Director for a certificate and he provided me with a .p7b file. How can I import it to Gluu? Do I need to put a certificate for both Shib and Asimba? Or can I just put that to Apache just to remove the 'connection not secured'. Thanks in advance.
CentOS72
closed

Answers

By Karl Jaro user 16 Mar 2017 at 6:11 p.m. CDT

Copy
Karl Jaro gravatar
To give you a better view, here's the message. > Files are in /home/centos/tls/company.com-wildcard. Are we using Gluu with Tomcat? If so, I think you should follow the instructions in getting_started-java.txt and simply use the company.p7b file. Please keep all of these files secret, especially company.key, company.crt, and company.p7b. The best policy is to limit permissions to just what is needed (which I've done for the files in this folder) -- including any copies you make on the server for configuration -- and also never transfer these files anywhere off the server (which you shouldn't need to anyway).

By Mohib Zico staff 17 Mar 2017 at 6:20 a.m. CDT

Copy
Mohib Zico gravatar
You need a x509 certificate and private key ( both no-password-protected ) for your Gluu Server's apache cert update.

By Michael Schwartz Account Admin 17 Mar 2017 at 3:14 p.m. CDT

Copy
Michael Schwartz gravatar
Remember that SAML uses self-signed certificates--chains are not supported by either the Shibboleth IDP or Asimba. You can do whatever you like with the Apache config in the chroot container. We give you the Apache config as a starting point, but many customers have their own conventions for the management of Apache httpd.

By Karl Jaro user 17 Mar 2017 at 5:48 p.m. CDT

Copy
Karl Jaro gravatar
Why does it ask me for passwords when importing .p7b file, I asked our director and he said he didn't put any passwords in it. I just used this command inside chroot. ``` keytool -importcert -alias <hostname_of_your_Gluu_Server>_httpd -trustcacerts -file [company_name].p7b -keystore cacerts -alias <hostname_of_your_Gluu_Server>_httpd ```

By Karl Jaro user 17 Mar 2017 at 5:54 p.m. CDT

Copy
Karl Jaro gravatar
Would you guys be able to help me on how to import this certificate just to remove the unsecure connection notification from our browsers. I have the ff files: company.key, company.crt, and company.p7b

By Aliaksandr Samuseu staff 17 Mar 2017 at 6:19 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Karl. Please note that using 2.4.4 packages is discouraged as the most recent one is 3.0.1. You should only use it if it's a previously installed live instance. Have you checked our certificate updating guide for 2.4.x [here](https://gluu.org/docs/ce/2.4.4/admin-guide/certificates/)? It provides all needed steps to achieve what you need (which is, I suppose, update of Apache's certificate, is it correct?) Your command doesn't seem correct to me. You should try something like this instead: 1. Backup your instance 2. Remove previous certificate: `# keytool -delete -alias <hostname_of_your_Gluu_Server>_httpd -keystore /usr/java/latest/lib/security/cacerts -storepass changeit` 3. Install new one: `# keytool -importcert -alias <hostname_of_your_Gluu_Server>_httpd -trustcacerts -file company.crt -keystore /usr/java/latest/lib/security/cacerts -storepass changeit` 4. Restart Tomcat Please also note that you may need to also update certificate Apache itself uses, and also point it to a file containing intermidiate certificates for your new certificate. Those are standard Apache admin procedures and mentioned in the guide I referenced above.

By Aliaksandr Samuseu staff 17 Mar 2017 at 6:26 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Karl, please also check [this page](https://gluu.org/docs/ce/2.4.4/operation/update-certificate/), it provides more detailed explanations.

Post an answer