How to register Root Certificate(.crt) of Server CA for Internal Use in Containerized Deployment
Hello,
We are currently using a containerized deployment for our Pega system. We want to integrate with a PKI server, which requires HTTPS Server Authentication. To achieve this, we need to register the root certificate of PKI internal server CA with the root CA trusted by our system. Could you please provide detailed instructions on how to achieve this within our containerized environment? Specifically, we would like to know:
- The steps required to import the root certificate into the Pega container.
- Any specific configuration changes needed within Pega to recognize and trust the newly registered root certificate.
- Best practices for maintaining and updating certificates in a containerized deployment to ensure ongoing security and compliance.
Thank you for your assistance.
Accepted Solution
Updated: 5 Jun 2024 6:58 EDT
Pegasystems Inc.
GB
To import the root certificate into the Pega container, you can follow these steps:
- Save the certificates from the PKI server locally.
- Use the Keystore Explorer application to create a new Java Keystore, which includes all the certificates saved.
- Save the generated Keystore file to your local machine.
- Upload the generated Keystore file to Pega Platform as an instance of Data-Admin-Security-Keystore.
To configure Pega to recognize and trust the newly registered root certificate, reference the uploaded Keystore in the Security settings (Truststore) section of a Connector rule. For maintaining and updating certificates in a containerized deployment, it's important to regularly check the validity of your certificates and update them before they expire. You can import X.509 certificates directly into the Pega Platform truststore to authenticate external server hosts. When a certificate needs to be used for transport layer security, Pega Platform looks for the certificate in the platform truststore, and then in the application server-level (JVM) truststore. You can add certificates to the platform truststore without having to restart the server, which is useful when TLS certificates are changed for reasons such as key expiration.
⚠ This is a GenAI-powered tool. All generated answers require validation against the provided references.
To import the root certificate into the Pega container, you can follow these steps:
- Save the certificates from the PKI server locally.
- Use the Keystore Explorer application to create a new Java Keystore, which includes all the certificates saved.
- Save the generated Keystore file to your local machine.
- Upload the generated Keystore file to Pega Platform as an instance of Data-Admin-Security-Keystore.
To configure Pega to recognize and trust the newly registered root certificate, reference the uploaded Keystore in the Security settings (Truststore) section of a Connector rule. For maintaining and updating certificates in a containerized deployment, it's important to regularly check the validity of your certificates and update them before they expire. You can import X.509 certificates directly into the Pega Platform truststore to authenticate external server hosts. When a certificate needs to be used for transport layer security, Pega Platform looks for the certificate in the platform truststore, and then in the application server-level (JVM) truststore. You can add certificates to the platform truststore without having to restart the server, which is useful when TLS certificates are changed for reasons such as key expiration.
⚠ This is a GenAI-powered tool. All generated answers require validation against the provided references.
Importing external certificates into a Pega Keystore
Client-configured Pega Cloud changes > Managing X.509 Certificates
Importing an X.509 certificate