If certificate problems are reported after upgrading or replacing certificates or after restoring a device, use the following options to solve the problem:
Certificate commands are generated when you upgrade the Administration Console and when you restore a device. You should ensure that they have completed successfully.
In the Administration Console, click
> to determine whether a certificate command has failed.Note the destination trust store or keystore of any failed command.
Click
> > .The Certificates page displays all the keystores and trust stores configured for Access Manager.
Select the store, then click
.This pushes all assigned certificates to the store. You can re-push certificates multiple times without causing any problems.
When you replace certificates, you should validate that the Identity Server configuration is storing a valid trusted root for the Access Gateways or SSL VPN servers that are using the Identity Server for authentication. You should also validate that the Access Gateway cluster and SSL VPN cluster are storing a valid trusted root for the Identity Server.
You cannot use the following process to validate that the Identity Server and J2EE agents are storing valid trusted roots for each other.
To validated the availability of required trusted root certificates:
In the Administration Console, click
> > .The Certificates page displays all the keystores and trust stores configured for Access Manager.
Validate the trusted root certificates of the Identity Server configuration:
Select one of the following keystores that belong to the NIDP Configuration device:
Signing
Encryption
SSL Connector
Provider Introductions SSL Connector
Consumer Introductions SSL Connector
Click
.If an error is reported, add the missing trusted root to a trust store.
To identify the trust store, check the ESP Trust Store of the devices that are using the Identity Server for authentication. For instructions, see the following sections:
Repeat Step 2.a and Step 2.c for each keystore that you want to validate.
Validate the trusted root certificates of the Access Gateway cluster or the SSL VPN cluster:
Select one of the following keystores that belong to the cluster:
Signing
Encryption
ESP Mutual SSL
Click
.If an error is reported, add the missing trusted root to the Trust Store of the Identity Server.
For instructions, see Section 3.4.2, Adding Trusted Roots to Trust Stores.
Repeat Step 3.a and Step 3.c for each keystore that you want to validate.