Comment: Should this article replace Create custom certificates for Tomcat installations (non-Docker) ? David Banz can you assist with this question?
Ylva Andersson yes, that is true.
New article for IDM 5.0.0 (replaces Create custom certificates for Tomcat installations (non-Docker) ).
This article is new for Identity Manager 5.0.0.
For development and test environments, test keys and certificates for all default descriptors can be generated using features of the IDM bootstrap.zip package and bootstrap docker container.
The bootstrap CA certificate generated by the procedure below will have a validity of 20 years, and each end-entity certificate will be valid for one year.
The generated PINs for every P12 file are automatically scrambled.
No keys and certificates will be generated for descriptions which absent from signencrypt.xml.
For Tomcat development or test deployment
Requirements
Tomcat not started
Tomcat folder containing unpacked IDM Operator and IDM Admin of IDM 5.0.0, or later versions, on Linux or Windows
unpacked bootstrapping.zip for the respective IDM release
Instructions
Open a command-line window.
Change to the unpacked bootstrap folder containing create_sign_encrypt_certs.sh (linux) or create_sign_encrypt_certs.bat (windows).
Execute the respective script for your OS.
Linux:
./create_sign_encrypt_certs.sh --targetDir /PATH/TO/TOMCAT/webapps/idm-operator/WEB-INF/classes [OPTIONAL ARGS]
Windows:
create_sign_encrypt_certs.bat --targetDir C:\PATH\TO\TOMCAT\webapps\idm-operator\WEB-INF\classes [OPTIONAL ARGS]
Execute the script without any parameters to see all supported arguments (if you need the plain text passwords of the generated P12 files, then adding the passwordList argument is recommended):create_sign_encrypt_certs.bat / create_sign_encrypt_certs.sh --caDir <dir> CA cert directory - absolute or relative to bootstrapping directory (default: cacerts) --configFile <file> config to modify - absolute or relative to target directory (default: engineSignEncryptConfig.xml) --passwordList <file> optionally create file which lists unscrambled passwords - absolute or relative to target directory (will overwrite existing) --targetDir <dir> target directory for certificates - absolute or relative to current directory
Copy all P12 files and engineSignEncryptConfig.xml from idm-operator/WEB-INF/classes to idm-admin/WEB-INF/classes optionally you can prune the files and XML entries which IDM Admin does not need.
For docker development or test deployment
Requirements
An unpacked SmartID package for the respective IDM release on a Linux/WSL docker host
No container started
Instructions
Open the smartid/docker/compose folder.
Prepare the files
init-smartid.env
andsmartid.env
according to the deployment documentation.
If you need the plain text passwords of the generated P12 files, then edit smartid/docker/compose/identitymanager/bootstrap/docker-compose.yml
and replacecommand: ["-configFile", "/usr/local/tools/config/signencrypt.xml", "-targetDir", "/usr/local/tools/certs"]
within the
create_sign_encrypt_certs
section withcommand: ["-configFile", "/usr/local/tools/config/signencrypt.xml", "-targetDir", "/usr/local/tools/certs", "-passwordList", "pwlist.txt"]
.
This will ensure the file smartid/docker/compose/certs/pwlist.txt will be created.
Execute the init script:
./init-smartid.sh
, which will guide you through the process, including bootstrapping.