From option 24:
Select option for certificate management for internal SSL communications:
1) Use system generated CA key and certificate to sign all SSL certificates
2) Use user provided CA key and certificate to sign all SSL certificates
3) All SSL certificates must be signed by an external CA
Select 3, this will generate CSR (certificate signing requests) for all certs used by the gateway - nodemanager and server instances. Once the CSRs have been generated, you can submit them to your CA for signing.
After you receive the signed certificates from CA you can import them back in gateway using option 26 of managedomain utility.
Thanks Ankit for the reply. Just to reiterate, we are using OAG 18.104.22.168 and managedomain utility in this version doesn't have option 26. I was also reading the OAG document, it says that "domain certificate cannot be replaced with customer certificate (which probably means server certificate), but it can be signed with CA/SubCA certificate". However, PKCS12 (which is requirement for OAG) store needs server certificate, otherwise it won't take CA certificate in. We are in sort of unique scenario where OAG only needs PKCS12 with CA but PKCS12 needs server certificate (to add CA cert in its store).
I am not sure about "PKCS12 needs server certificate (to add CA cert in its store)". PCKS12 is just a certificate export format, this format has both the public and private key in the same file. For 22.214.171.124 can you try the following steps:
- Generate the CSR for domain certificate.
- Submit the CSR to your CA for signing.
- Export the private key of domain certificate.
- Once you have the signed cert from CA, import public key via Policy Studio. Import the exported private key as well here.
- Export "Certificate + Key" from Policy Sudio. This will generate a file in PKCS12 format.
- Import the signed PKCS12 file back as domain certificate.
I do not have 126.96.36.199 version installed so I cannot try these but please let me know if you encounter any issues.