Strongkey FIDO Server (SKFS) utilizes Transport Layer Security (TLS) to protect sensitive information on the network between a calling client Application and StrongKey FIDO Server (SKFS).
By default, each newly installed SKFS generates a key-pair and self-signed digital certificate to use for establishing TLS connections. At most sites, this setup is sufficient for the Application to make secure connections to the SKFS.
Our self-signed certificate is, actually, a little better than a Trusted-Third Party Certificate Authority (TTPCA) certificate because it provides a "speed bump" to anyone attempting to attack the webservice internally; if they're not familiar with how to deal with self-signed certificates, they'll be stumped with the error messages. A TTPCA certificate will almost always be trusted by the attacker's connection.
However, If you want to use a different certificate for SKFS, you need to import it using a Java KeyStore.
shell> cd /usr/local/strongauth/payara5/glassfish/domains/domain1/config
Or
use alias
shell> ascfg
shell> keytool -genkeypair -alias s1as -keystore newkeystore.p12 -storepass changeit -storetype pkcs12 -keypass changeit -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365
-ext "SAN=DNS:blue.strongkey.com,DNS:red.strongkey.com"
shell> keytool -certreq -alias s1as -keyalg RSA -file certreq.csr -keystore newkeystore.p12 -ext SAN=dns:blue.strongkey.com,dns:red.strongkey.com
shell> keytool -printcertreq -file certreq.csr
keytool -import -keystore newkeystore.p12 -alias s1as -keypass changeit -storepass changeit -file chain.pem
keytool -import -keystore newkeystore.p12 -alias cacert -keypass changeit -storepass changeit -file cacert.pem
keytool -import -keystore newkeystore.p12 -alias s1as -keypass changeit -storepass changeit -file signedcert.pem
Now we will use this new keystore (newkeystore.p12) to replace the certificate in Glassfish keystore by following the steps below.
cp keystore.jks keystore.jks.<date>
mv newkeystore.p12 keystore.jks
sudo service glassfishd restart
You can now connect to the Payara server on the browser to check the certificate that it uses to connect and ensure it matches the certificate that was issued by External CA with all SAN’s if applicable.