Certificates in Chroot#
Gluu Server components have cryptographic keys and X.509 certificates that are stored inside the
chroot. Details for certificates associated with each component are provided below. The following certificates are available in the
The certificates for
Passport authentication are
passport-rp.jks, passport-rp.pem, passport-rs.jks.
The SCIM certificate is named
scim-rs.jks and the OTP certificate is named
Certificates for Deprecated Services#
Custom Script JSON Files#
Additionally the following
json files are available which are used in different custom scripts for multi-factor authentication.
Generating Cryptographic Keys#
The Gluu Server is compatible with the Java KeyGenerator to create new cryptographic keys if needed.
To get KeyGenerator, run the following command inside the Chroot:
wget https://ox.gluu.org/maven/org/xdi/oxauth-client/3.1.6.sp1/oxauth-client-3.1.6.sp1-jar-with-dependencies.jar -O oxauth-client.jar
Then, run KeyGenerator with the following command:
java -jar oxauth-client.jar <arguments>
Our implementation of KeyGenerator accepts the following arguments:
||oxEleven Access Token|
||DN of certificate issuer|
||Encryption keys to generate (For example: RSA_OAEP, RSA1_5)|
||Expiration in days|
||Expiration in hours|
||Key Store password|
||Key Store file (such as /etc/certs/api-rs.jks)|
||oxEleven Generate Key Endpoint.|
||Signature keys to generate. (For example: RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512)|
Certificates in oxTrust#
Certificates commonly used for SSO typically have a short expiration date, and can now be easily viewed and downloaded in oxTrust. Navigate to
Certificates to access these certificates.
The following are available:
- OpenDJ SSL
- httpd SSL
- IDP Signing
- IDP Encryption
Updating Apache Certificate#
The certificates must be manually updated from the
There are many tools that can be used to update and renew certificates. By default Gluu uses OpenSSL. If you have questions about using other tools, like Let'sEncrypt, check the Gluu support portal for existing threads. If there is no existing information, sign up and open a ticket.
The private key cannot be password protected, and the public key must be base64 X.509.
Please backup your full
/etc/certs directory and
cacerts file under
/opt/jdkx.y.z/jre/lib/security/ folder before updating certificates.
Please follow these steps shown below to update the Apache SSL cert:
- Save the latest SSL httpd key and certificate in the
- Rename them to
- Import 'httpd.der' into the java keystore
/ Convertion to DER, command:
openssl x509 -outform der -in httpd.crt -out httpd.der
- Delete the existing certificate to avoid ambiguity due to presense of 2 different
certificates for the same entity after importing the new one:
/opt/jdkx.x.x.x/jre/bin/keytool -delete -alias <hostname_of_your_Gluu_Server>_httpd -keystore /opt/jdkx.x.x.x/jre/lib/security/cacerts -storepass changeit
- Import certificate in to Java Keystore(cacerts):
/opt/jdkx.x.x.x/jre/bin/keytool -importcert -file httpd.der -keystore /opt/jdkx.x.x.x/jre/lib/security/cacerts -alias <hostname_of_your_Gluu_Server>_httpd -storepass changeit
- Delete the existing certificate to avoid ambiguity due to presense of 2 different certificates for the same entity after importing the new one:
- Restart LDAP server, apache2/httpd and Identity Services.
service opendj stop service apache2/httpd stop service oxauth stop service identity stop : service opendj start service apache2/httpd start service oxauth start service identity start
Install Intermediate Certificates#
Please follow the steps below to install intermediate certificates:
- Log into your Gluu Server container.
- Keep your intermediate certificate in the file
/etc/httpd/conf.d/https_gluu.conf, and add
- Restart the service of the httpd server.