KB Article #177339

How to export the Internal CA or change its password?

Problem

1. How to export both private and public parts of the Internal CA into a single certificate?


2. How to change/update the existing Internal CA's password, provided we know the current password?


Resolution

In some cases, the Internal CA certificate might be required for other purposes, or the CA's password has to be changed to comply with security policy. Since the password is embedded in the certificate itself, the only way to change it is to export the CA certificate, and then re-import it with a new password.


The Admin UI will not export the CA's private key, however, so the only possible way to obtain both the public and the private keys is to get the from the ST's file system. The keys are kept in $FILEDRIVEHOME/lib/certs/db with the names ca-crt.pem (public) and ca-key.pem (private).


With these two files you can create a new PKCS12 capsule file that then can be imported in the Admin UI > Certificates > Internal CA page. The below steps demonstrate this with the help of the OpenSSL tool on a Linux machine. Note that Axway Appliances will not be suitable for the task, since the included OpenSSL tool is outdated and will not be able to load the keys, if they were created in new ST versions (5.2.1 and above).


1. Get the two files - ca-crt.pem and ca-key.pem - from $FILEDRIVEHOME/lib/certs/db and place them in a dedicated folder on a Linux server.


2. Run the following command: 


openssl pkcs12 -export -in ca-crt.pem -inkey ca-key.pem -out newCA.p12 -nodes


The first password that you'll be asked is the current CA password. The second password will be for the new PKCS12 capsule (newCA.p12) containing both the public and private keys. You must provide a password longer than 8 characters. This passphrase for the PKCS12 capsule will be the new Internal CA password as well.


3. The resulting newCA.p12 can now be either taken as a backup, or re-imported in ST as an Internal CA. The new password that you selected for the PKCS12 capsule will be needed to generate new certificates in ST or when importing public keys.


NOTE: This re-import will keep the existing certificates' trust chains.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.