Adding an SSL Certificate adding-an-ssl-certificate
Learn how to add your own SSL certificate using Cloud Manager’s self-service tools.
Certificate Requirements certificate-requirements
Review the section Certificate Requirements of the document Introduction to Managing SSL Certificates to ensure that the certificate you want to add is supported by AEM as a Cloud Service.
Adding a Certificate adding-a-cert
Follow these steps to add a certificate using Cloud Manager.
-
Log into Cloud Manager at my.cloudmanager.adobe.com and select the appropriate organization
-
On the My Programs screen, select the program.
-
Navigate to Environments screen from the Overview page.
-
Click SSL Certificates from the left navigation panel. A table with details of any existing SSL certificates are displayed on the main screen.
-
Click Add SSL Certificate to open Add SSL Certificate dialog box.
- Enter a name for your certificate in Certificate Name.
- This is for informational purposes only and can be any name that helps you reference your certificate easily.
- Paste the Certificate, Private key, and Certificate chain values into their respective fields. All three fields are mandatory.
-
Any errors detected are displayed.
- You must address all errors before your certificate can be saved.
- See Certificate Errors section to learn more about addressing common errors.
- Enter a name for your certificate in Certificate Name.
-
Click Save to save your certificate.
Once saved, you see your certificate displayed as a new row in the table.
Certificate Errors certificate-errors
Certain errors may arise if a certificate is not installed properly or meet the requirements of Cloud Manager.
Certificate Policy certificate-policy
If you see the following error, check the policy of your certificate.
Certificate policy must conform with EV or OV, and not DV policy.
Normally certificate policies are identified by embedded OID values. Outputting a certificate to text and searching for the OID will reveal the certificate’s policy.
You can output your certificate detail as text using the following example as a guide.
openssl x509 -in 9178c0f58cb8fccc.pem -text
certificate:
Data:
Version: 3 (0x2)
Serial Number:
91:78:c0:f5:8c:b8:fc:cc
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
Validity
Not Before: Nov 10 22:55:36 2021 GMT
Not After : Dec 6 15:35:06 2022 GMT
Subject: C = US, ST = Colorado, L = Denver, O = Alexandra Alwin, CN = adobedigitalimpact.com
Subject Public Key Info:
...
The OID pattern in the text defines the policy type of the certificate.
2.23.140.1.1
2.23.140.1.2.2
2.23.140.1.2.1
By grep
ping for the OID patterns in the output certificate text, you can confirm your certificate policy.
# "EV Policy"
openssl x509 -in certificate.pem -text grep "Policy: 2.23.140.1.1" -B5
# "OV Policy"
openssl x509 -in certificate.pem -text grep "Policy: 2.23.140.1.2.2" -B5
# "DV Policy - Not Accepted"
openssl x509 -in certificate.pem -text grep "Policy: 2.23.140.1.2.1" -B5
Correct Certificate Order correct-certificate-order
The most common reason for a certificate deployment to fail is that the intermediate or chain certificates are not in the correct order.
Intermediate certificate files must end with the root certificate or the certificate most proximate to the root. They must be in descending order from the main/server
certificate to the root.
You can determine the order of your intermediate files using the following command.
openssl crl2pkcs7 -nocrl -certfile $CERT_FILE | openssl pkcs7 -print_certs -noout
You can verify that the private key and main/server
certificate match using the following commands.
openssl x509 -noout -modulus -in certificate.pem | openssl md5
openssl rsa -noout -modulus -in ssl.key | openssl md5
main/server
certificate, you are required to re-key the certificate by generating a new CSR and/or requesting an updated certificate from your SSL vendor.Certificate Validity Dates certificate-validity-dates
Cloud Manager expects the SSL certificate to be valid for at least 90 days from the current date. You should check the validity of the certificate chain.