We are running our administration server on one host, and we have multiple other hosts configured as administration nodes. We used our company CA to generate a server certificate for our administration server, and that appears to be working fine. We tried to do the same thing on our administration nodes, and something curious is happening.
I used certutil -R to generate a CSR and private key. I then took the generated CSR, obtained a signed certificate from our company CA, then used certutil -A -t u,u,u to install it (and certutil -A -t CT,, to install the CA cert itself). Running certutil -L, I see that in addition to the default Admin-CA-Cert and Admin-Server-Cert our company CA cert and the newly signed cert show up. So far, so good.
Next, I modified the server.xml to specify the server-cert-nickname as that assigned to my new cert.
To put these changes into effect, I stop and start the admin server, but upon doing so, I see this message:
warning: LCM0006: Lifecycle module [AdminLifecycleModule] threw ServerLifecycleException [com.sun.web.admin.exceptions.AdminException: ADMIN3668: Cannot start an unregistered node. Register with an administration server. ]
OK, so I run wadm register-node to re-register the admin node (presumably it needs to tell the admin server about our new certificate) and then start the admin server again, and it starts. Problem is, the act of running wadm register-node has reset the server-cert-nickname back to the default (Admin-Server-Cert) and even more bizarre, has deleted both our local CA and my new certificate from the certificate & key database.
How do I - or is it even possible to - run my admin nodes with certs signed by our company CA?