Data Management Global

Data Management Global

A hub for collaboration, learning, networking, and cultural exchange, and contributing to positive global engagement

 View Only

Custom Certificate Configuration for IIAS Console and Windows Trust Store Integration

By JOBIN J posted Sun May 04, 2025 01:12 PM

  

Overview

The IBM Integrated Analytics System (IIAS) comes with a default self-signed SSL certificate. While this is functional for accessing the console, it is not trusted by browsers by default, which leads to browser warnings indicating the certificate is not valid.

For most environments, especially those not using replication services, replacing the default certificate is optional. However, if replication is enabled, a valid certificate—preferably customer-managed—is required.

This document outlines how to:

  1. Generate a self-signed certificate with the correct configuration.
  2. Upload it to the IIAS web console.
  3. Add the certificate to the Windows trust store to eliminate browser warnings.

Why the Certificate Warning Occurs

When accessing the IIAS console over HTTPS, browsers validate the SSL certificate presented by the server. A warning appears if:

  • net::ERR_CERT_AUTHORITY_INVALID: The certificate is self-signed and not trusted by the operating system.
  • net::ERR_CERT_COMMON_NAME_INVALID: The certificate does not match the console hostname.
  • net::ERR_CERT_INVALID: The certificate is missing the Subject Alternative Name (SAN) field.

To avoid these warnings, you must either:

  • Purchase and configure a certificate signed by a trusted Certificate Authority (CA), or
  • Use a properly configured self-signed certificate and import its root certificate into the operating system's trust store.

In this guide, we will configure a self-signed certificate with the IIAS console and add the root CA to the system trust store to avoid browser warnings.

1. Generate a Self-Signed Certificate with Subject Alternative Name

1.1 Create OpenSSL Configuration File

As a first step, create a file named san.cnf with the following content, and change it as per your requirements.

This configuration file is used to generate an SSL/TLS certificate signing request (CSR) with Subject Alternative Names (SANs)...

[ req ]
default_bits       = 2048
prompt             = no
default_md         = sha256
distinguished_name = dn
x509_extensions    = v3_req

[ dn ]
C  = US
ST = State
L  = City
O  = Your Organization
CN = iias-console.company.local

[ v3_req ]
subjectAltName = @alt_names
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ alt_names ]
DNS.1 = iias-console.company.local

1.2 Generate Certificate and Private Key

Run the following command:

openssl req -newkey rsa:2048 -nodes -keyout key.pem \
  -x509 -days 365 -out certificate.pem \
  -config san.cnf -extensions v3_req

This creates a self-signed certificate valid for one year, with SAN support.

1.3 Export Certificate and Key to PKCS#12 Format

Run the following:

openssl pkcs12 -export \
  -in certificate.pem \
  -inkey key.pem \
  -out cert.p12

You will be prompted to set a password for the PKCS#12 file. This file will be uploaded to the IIAS console.

2. Upload Certificate to the IIAS Console

  1. Log in to the IIAS web console as an administrator.
  2. Navigate to: Settings > System Settings.
  3. Toggle Enable user provided certificate to ON.
  4. Click Select a certificate file (PKCS #12).
  5. Browse to and select the cert.p12 file you created.
  6. Enter the PKCS#12 password when prompted.
  7. Click Apply.

The IIAS system will restart and begin using your custom certificate.

3. Add the Certificate to Windows Trust Store

To avoid browser warnings when accessing the IIAS console, the root certificate must be added to the Windows Trusted Root Certification Authorities store.

3.1 Download the Certificate

  1. Open your browser (e.g., Chrome or Edge) and navigate to the website using HTTPS (e.g., https://iias-console.company.local).
  2. Click the padlock icon in the address bar.
  3. Select Certificate (Valid) or Certificate details from the dropdown.
  4. In the certificate window, go to the Details tab and click Export.
  5. In the export wizard, choose Base-64 encoded ASCII, single certificate format and click Next.
  6. Choose a location to save the certificate (e.g., mycert.cer) and click Save.
  7. Click Finish to complete the export.

3.2 Import Certificate into Windows Trust Store : Using the MMC Console

  1. Press Windows + R, type mmc, and press Enter.
  2. Go to File > Add/Remove Snap-in.
  3. Select Certificates, click Add.
  4. Choose Computer account, then Local Computer.
  5. Click OK.
  6. Expand Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates.
  7. Right-click Certificates, select All Tasks > Import.
  8. Import the iias-cert.cer file into the Trusted Root Certification Authorities store.
  9. You will see a success message once complete.

3.3 Verification

  1. Close all browser windows.
  2. Open a browser and go to https://iias-console.company.local.
  3. Confirm that no security warning appears.
  4. Check that the certificate includes the SAN matching the hostname.

Summary

  • Replacing the default IIAS certificate is required for replication scenarios and recommended for production environments.
  • A self-signed certificate is acceptable, provided it includes a valid Common Name and Subject Alternative Name.
  • Adding the certificate to the Windows trust store prevents browser warnings.
0 comments
21 views

Permalink

https://community.ibm.com/community/user/blogs/jobin-j2/2025/05/04/custom-certificate-configuration-for-iias-console