How to register Root Certificate(.crt) of Server CA for Internal Use in Containerized Deployment

Zairan · May 16, 2024, 7:44am

Hello,

We are currently using a containerized deployment for our Pega system. We want to integrate with a PKI server, which requires HTTPS Server Authentication. To achieve this, we need to register the root certificate of PKI internal server CA with the root CA trusted by our system. Could you please provide detailed instructions on how to achieve this within our containerized environment? Specifically, we would like to know:

The steps required to import the root certificate into the Pega container.
Any specific configuration changes needed within Pega to recognize and trust the newly registered root certificate.
Best practices for maintaining and updating certificates in a containerized deployment to ensure ongoing security and compliance.

Thank you for your assistance.

MarijeSchillern · June 4, 2024, 1:26pm

@Zairan

To import the root certificate into the Pega container, you can follow these steps:

Save the certificates from the PKI server locally.
Use the Keystore Explorer application to create a new Java Keystore, which includes all the certificates saved.
Save the generated Keystore file to your local machine.
Upload the generated Keystore file to Pega Platform as an instance of Data-Admin-Security-Keystore.

To configure Pega to recognize and trust the newly registered root certificate, reference the uploaded Keystore in the Security settings (Truststore) section of a Connector rule.

For maintaining and updating certificates in a containerized deployment, it’s important to regularly check the validity of your certificates and update them before they expire. You can import X.509 certificates directly into the Pega Platform truststore to authenticate external server hosts. When a certificate needs to be used for transport layer security, Pega Platform looks for the certificate in the platform truststore, and then in the application server-level (JVM) truststore. You can add certificates to the platform truststore without having to restart the server, which is useful when TLS certificates are changed for reasons such as key expiration.

This is a GenAI-powered tool. All generated answers require validation against the provided references.

Importing external certificates into a Pega Keystore

Client-configured Pega Cloud changes > Managing X.509 Certificates

Importing an X.509 certificate

Conversation		Replies	Views
How to import the certificate into equivalent application server-level truststore Pega-as-a-Service system-architect , security , devops , 8-8-3	4	295	October 1, 2024
How to Install DigiCert Root G4 Certificate in Kubernetes Environment General team-lead , client-managed-cloud , manufacturing , 8-6-5 , system-cloud-ops-administrator	1	938	June 8, 2023
The PDC keystore file does not exist in your system. General platform , pega-diagnostic-center , system-cloud-ops-administrator	1	102	March 24, 2025
Implement Rest API with Cert based authentication General pega-platform , system-administration , data-integration , 8-6-4	2	971	August 18, 2023
SSL Certificate Chain Error General security , system-administration , installation-and-deployment , 8-8-5	1	184	April 26, 2024

How to register Root Certificate(.crt) of Server CA for Internal Use in Containerized Deployment

Related topics