If you are comfortable with certificate warnings whilst you install and test, you canuntil you are ready to go live with your end users.
It is recommended that you use a certificate from a recognised certificate authority so that your users do not get warnings in their browsers when they log in and this page will assume that you have one available.
- A certificate in the name of your runtime, e.g. idp.yourdomain.com or *.yourdomain.com
- You will need it split as .crt and .key files.
- Do not use a password with the certificate
- If using the proxy, a wildcard certificate for it, e.g: *.proxy.yourdomain.com
Where to put your certificates
Both the IdP and proxy certificates sit in the same folders which are:
CRT files sit in the
KEY files sit in the
If you had initially transferred the certificate files to the
/tmp folder on the runtime, you would move them as follows:
Check the ownership, permissions and security context
Check by listing the directory with a 'Z' switch. This is what you want to see for the permissions, ownership and context.
To change the permissions if they do not appear as
To change the ownership if they do not appear as
To change the security context if it does not appear as
Repeat as necessary for the
/etc/pki/tls/private folder. The settings should be the same (expand to see):
Update the 'vhost' configuration file(s)
You have to make a small change to the
openathensla-runtime.conf.local configuration file to tell it about your new IdP certificates.
The first section of this file will detail the file locations of your IdP certificates - edit to match your names:
If you have a certificate signed by an intermediary and need help installing it to the correct place, contact our service desk.
If you are using the proxy, you also need to modify the
openathensla-proxy.ssl.local file to know about your certificates (expand to see):
Finally: restart apache:
If the Apache restart asks for a certificate password, you must remove the password from the certificate before you continue or the system will require a manual Apache restart every time the administration console publishes a change to the runtime(s).