Certificate in iMC

http://www.nicklowe.org/2012/04/importing-a-digital-certificate-to-hps-intelligent-management-center-imc/

Hi,

Well done with the blog, this is what I'd worked out sometime ago too :) ..

Now heres a new one for you... v5 SP1, has this changed as it looks like it... Is the new keystore file "newks" instead of "keystore"?

It appears that just using the previous cert keystore that I've been using with all the previous versions doesn't work if you just use it like before...

Any advice or knowledge of the changes to the certs in SP1?

Cheers!

You've probably worked it out by now, but yeah, it seems that newks is now used, and that the default storepass is now iMCV500R001

Look in C:\Progam Files\iMC\client\conf\applicationContexts.xml. That defines the keystore to be used, and the password.

I'll be digging into this some more tomorrow.

I've just been down this path, and thought I'd followed it religiously, but the jserver process starts with errors and there is now no IMC web service, though ports 8080 and 8443 are listening.  Any ideas?

The IMC Monitoring Agent says the jserver process status is "Error occurred in process startup.  For details see the log."  What log?

A listing of the keystore is attached.

Any help gratefully received.

Thought I'd added an attachment but it seems to have got lost.  Here it is below...

C:\Program Files\iMC\client\security>keytool -list -v -keystore .\newks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: 1
Creation date: Jun 7, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=win2k-imc.aarons.net, O=Aarons Inc, ST=GB, C=UK
Issuer: CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK
Serial number: 6
Valid from: Fri Jun 07 10:32:08 GMT 2013 until: Sat Jun 07 10:32:08 GMT 2014
Certificate fingerprints:
         MD5:  19:D4:95:7D:DF:B0:C5:B7:EE:F2:B2:6B:E3:9F:F5:A9
         SHA1: 9F:2D:E6:47:A7:A8:57:4B:D0:0D:E2:FE:CB:FA:CF:A7:48:55:F3:47
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]
]

#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]

]

Certificate[2]:
Owner: CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK
Issuer: CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK
Serial number: dc00dde55cfcd0f9
Valid from: Thu Mar 28 13:19:55 GMT 2013 until: Wed Mar 28 13:19:55 GMT 2018
Certificate fingerprints:
         MD5:  A3:56:C1:B6:2E:52:B4:27:37:6A:48:85:B8:E0:67:8F
         SHA1: A0:33:D5:5D:96:7E:06:FC:8F:FA:C5:9D:50:87:B2:14:E2:27:BA:AD
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]

[CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK]
SerialNumber: [    dc00dde5 5cfcd0f9]
]



*******************************************
*******************************************


Alias name: imc
Creation date: Jun 7, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=win2k-imc.aarons.net, O=Aarons Inc, ST=GB, C=UK
Issuer: CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK
Serial number: 6
Valid from: Fri Jun 07 10:32:08 GMT 2013 until: Sat Jun 07 10:32:08 GMT 2014
Certificate fingerprints:
         MD5:  19:D4:95:7D:DF:B0:C5:B7:EE:F2:B2:6B:E3:9F:F5:A9
         SHA1: 9F:2D:E6:47:A7:A8:57:4B:D0:0D:E2:FE:CB:FA:CF:A7:48:55:F3:47
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]
]

#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]

]

Certificate[2]:
Owner: CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK
Issuer: CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK
Serial number: dc00dde55cfcd0f9
Valid from: Thu Mar 28 13:19:55 GMT 2013 until: Wed Mar 28 13:19:55 GMT 2018
Certificate fingerprints:
         MD5:  A3:56:C1:B6:2E:52:B4:27:37:6A:48:85:B8:E0:67:8F
         SHA1: A0:33:D5:5D:96:7E:06:FC:8F:FA:C5:9D:50:87:B2:14:E2:27:BA:AD
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 62 F9 C9 BB 17 2E 8F B6   B4 49 C2 07 4F BD A9 57  b........I..O..W
0010: C8 A1 0E 16                                        ....
]

[CN=aarons.net, OU=Home, O=Aarons Inc, L=Cheltenham, ST=GB, C=UK]
SerialNumber: [    dc00dde5 5cfcd0f9]
]



*******************************************
*******************************************



C:\Program Files\iMC\client\security>

Hi LindsayHill

Thanks for the pointer.  I finally tracked the issue down to my pfx package for transferring the server and CA trust chain certificates.  It contained all the right certificates and keys, but the keytool import just didn't generate the trust chain.  I finally built a working keystore using the process below.  May be helpful for other folks, who knows?

•Generate a Java keystore and key pair
keytool -genkey -alias imc -keyalg RSA -keystore newks -keysize 2048 -storepass iMCV500R001

•Generate a certificate signing request (CSR) for the keystore
keytool -certreq -alias imc-server.papageno-home.net -keystore newks -file imc-server.papageno-home.net.csr -storepass iMCV500R001

•Sign CSR from OpenSSL
sudo openssl ca -in imc-server.papageno-home.net.csr  -out imc-server.papageno-home.net.crt  -days 365

•Keytool barfs on the full crt file, so strip out the certificate to just the lines begining and ending with "---BEGIN/END CERTIFICATE---" as imc-server.papageno-home.net.crt.modified

•Import a root or intermediate CA certificate to an existing Java keystore
keytool -import -trustcacerts -alias papageno-home.net -file ca.crt -keystore newks -storepass iMCV500R001

•Import a signed primary certificate to an existing Java keystore with alias "imc" ('cos IMC expects it so)
keytool -import -trustcacerts -alias imc -file imc-server.aarons.net.crt.modified -keystore newks -storepass iMCV500R001

•Set key password to same as store password
keytool.exe -keypasswd -alias imc -keypass keypassword -new iMCV500R001 -keystore newks -storepass iMCV500R001

Good to hear you got it working - and thanks for posting back here to let us know how you did it. Might help someone else in future.

Hey,

I was looking for the same issue and did it. I wrote a blog about the solution I found with the latest iMC version. For those, who are still searching for the solution have a look at it.

http://www.flomain.de/2014/10/imc-webserver-certificate/

BR

Florian

Old thread, but it was the top hit on google so i though i'd add how we solved it.

On windows Server 2016 and IMC 7.3 E0705.

I exported the certificate from the Windows Certificate store to a password protected PFX-file (PKCS12)  including all certificates in chain. I set the export password to iMCV500R001 

Then a single line was used with keytool:

keytool.exe -importkeystore -srckeystore "C:\temp\exportedcert.pfx" -srcstoretype pkcs12 -destkeystore c:\temp\newks_2 -deststoretype JKS

type iMCV500R001 three times its complete.

Import newks_2 in the Settings/HTTPS Settings using web ui.

Hello,

Thanks for sharing that. I can also confirm that importing a .jks keystore works fine and is probably the simplest way of getting the signed certificate working.

You don't necessarily need to use the IMCV500R001 password, it can be any other password too, which you enter when importing the .jks file on the web interface unter HTTPS Access Settings. The important thing is that the password for the private key and the password for the keystore match, otherwise it will not work.

Best regards,
Justin

Working @ HPE

Hi all. I know this has been around for a while but I get an error when I try to upload the new certificate along the lines of:

Failed to modify HTTPS access configurations, files are in use.

Has anyone seen this before or know how to fix it?

After having manually plunked through these step many time, I decided to automate the process. 
As I know this process is a bit of a struggle, for IMC admins, I've decided to share.

For the automation, I initally I started to use good ol' Windows batch, but quicly remembered why I dislike it.
I instead elected to use Powershell.  It is well supported on Windows and *nix, so anyone should be able to use it.  If you flat refuse to use PS, porting it to another scripting language wouldn't take much work. Though why would you?

I intentionally kept the script very linear to ensure ease in reading, and simple to follow for a code novice.

To use:

1. Copy the code below into an editor.
2. Save the script on server running IMC, i.e. c:\IMCCert\IMC_WebCert_preparation.ps1
3. After obtaining the PKCS#12 file, save it to i.e. c:\IMCCert\IMC-WebCert.pfx
4. modify the variables $PFX_Filename and $pkcs12passwd (line 46) and save.
5. Open a Powershell CLI session and navigate to the directory where the certificate work will occure i.e. cd \IMCCert\
6. At the prompt, simply enter the name of the powershell script and enter, to execute it.
7. You will have to enter the PKCS#12 password when prompted, and press Enter to accept an alias copy.
8. When complete, you will have a new file newks_imc in your work directory, which you will import in IMC.

That's it!  The script writes a lot of stuff to the terminal, to help track the process, and to help with the manual steps, the admin must do.

I almost added stopping IMC, installing the cert store, and restarting IMC.
However, I felt like that is too much automation, and an admin has to take resposibility for at least that aspect of a server's operations.

BTW, I've added, as remarks at the bottom of the script, how to manually install the key store as a backup to the GUI method.

I hope this helps!  Cheers!

##################################################################################
## Description
## Powershell automation for importing a PKCS12 Certificate in the IMC Web UI.
##
## -------------------------------------------------------------------------------
## Author: 
## John Maier - MASE and a bunch other HPE Aruba stuff.
##
## -------------------------------------------------------------------------------
## Revision 1.00 - 2021-09-21 - Inital release
##
## -------------------------------------------------------------------------------
## Credit, where Credit is due:
## Process taken and adapted from Webposts
## https://www.flomain.de/2014/10/how-to-imc-webserver-certificate/
## https://community.hpe.com/t5/IMC/Certificate-in-iMC/td-p/2314848#.YUozxis3laQ
## 
## -------------------------------------------------------------------------------
## Disclaimer: 
## The author make no warranty as to the fitness, or accuracy of this code.
## 
## Use freely as needed.
## If this script helps make your life easier, simply think kindly of me. :-)
## giving me a Kudo on my post is a nice way to stroke my ego too.
## -------------------------------------------------------------------------------
## Contact:
## Via Airheads or community.hpe.com  @devocite
##################################################################################

# Step 1: -----------------------------------------------------------------------------------------------------------------#
### - Obtain a new certificate from a Certificate Authority (CA) as a password protected PKCS12 file.


# Step 2: -----------------------------------------------------------------------------------------------------------------# 
# - Create a work directory, as needed.
# - directory where Certificate work will be performed i.e. C:\IMCCert\" or for *nix  ./IMCCert
$IMC_TLS_Work_Dir = "C:\IMCCert\"


# Step 3: ------- Edit ---- Edit ---- Edit ---- Edit ---- Edit ---- Edit ------- # 
# - place the PKCS12 file in work directory
# - File name of new IMC Certificate obtained from a CA
$PFX_Filename = "IMC-WebCert.pfx"

# - Password that was used to secure the PFX certificate export file. 
$pkcs12passwd = "ReplaceWithPasswordusedToSecurePFX"


# Step 4: -----------------------------------------------------------------------------------------------------------------#
# Variable setup - changes, below this point, shouldn't be needed for a typical Windows install,
# except to adapt for a customized Windows install, or for a IMC on *nix install.

# - Where IMC binary exec tools are located - 
# For Windows, typically: C:\Program Files\iMC\deploy\jdk\bin\
# for *inx, typically: /opt/iMC/deploy/jdk/bin/
$IMC_Bin_Dir = "C:\Program Files\iMC\deploy\jdk\bin\"

# - For making backups of existing files.
$revison_num = Get-Date -Format "yyyyMMddHHmm"

# - Source of new IMC Certificate obtained from a CA
$JKS_Filename = "newks_imc"

# - Password to be used to for securing the JKS 
# - Note: I typically keep the JKS (Java Key Store) password the same as the PKCS12 password, to avoid confusion, but do as you wish.
$JKSpasswd = $pkcs12passwd
 
# Full Path and name of files for Cert work.
$NewCertPFX= $IMC_TLS_Work_Dir+$PFX_Filename
$JKStoreFile=$IMC_TLS_Work_Dir+$JKS_Filename
$KeyToolCmd= $IMC_Bin_Dir+"keytool.exe"


# Step 5: -----------------------------------------------------------------------------------------------------------------#

# Test for previous JKS file and rename it, if needed.
if (Test-Path $JKStoreFile -PathType leaf) {
	$JKSBackup = $JKStoreFile+"_"+$revison_num
	Rename-Item -Path $JKStoreFile -NewName $JKSBackup
}


# Step 6: -----------------------------------------------------------------------------------------------------------------#
Write-Host ""
Write-Host "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
Write-Host "     NOTICE!     NOTICE!     NOTICE!     NOTICE!     NOTICE!"
Write-Host ""
Write-Host "	The Warnings, keytool generates, can safely be ignored."
Write-Host ""
Write-Host "          NOTICE!     NOTICE!		NOTICE!     NOTICE!"
Write-Host "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
Write-Host ""
Write-Host "**************************************************************************"
Write-Host ""
Write-Host "	Copy Certificate, private key, etc from PKCS12 formate to JKS"
Write-Host ""
Write-Host "**************************************************************************"

& $KeyToolCmd -importkeystore -srckeystore $NewCertPFX -destkeystore $JKStoreFile -srcstoretype pkcs12 -deststoretype JKS -storepass $JKSpasswd 
# Manual Input: $pkcs12passwd


# Step 7: -----------------------------------------------------------------------------------------------------------------#
### - Get Alias name of imported PKCS12 certificate and test ###

$AliasName = & $KeyToolCmd -list -v -keystore "$JKStoreFile" -storepass $JKSpasswd | findstr /B /L "Alias name"
$AliasName = $AliasName.Split(":")[1]
$AliasName = $AliasName.Substring(1,$AliasName.Length-1)

if (($AliasName.Length -eq 0) -or !(Test-Path $JKStoreFile -PathType leaf)) {
	Write-Host ""
	Write-Host "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
	Write-Host "     NOTICE!     NOTICE!     NOTICE!     NOTICE!     NOTICE!"
	Write-Host ""
	Write-Host "	 !!!  The certficate import failed  !!!"
	Write-Host "	 Please review and restart the process"
	Write-Host ""
	Write-Host "          NOTICE!     NOTICE!		NOTICE!     NOTICE!"
	Write-Host "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
} else {
	Write-Host ""
	Write-Host "********************************************************************************************************"
	Write-Host ""
	Write-Host "	The imported JKS Certificate Alias: $AliasName"
	Write-Host ""
	Write-Host "********************************************************************************************************"


# Step 8: -----------------------------------------------------------------------------------------------------------------#
	Write-Host ""
	Write-Host "********************************************************************************************************"
	Write-Host ""
	Write-Host "	Copying alias $AliasName to alias 'imc' in JKS"
	Write-Host ""
	Write-Host "********************************************************************************************************"
	
	& $KeyToolCmd -keyclone -keystore $JKStoreFile -alias "$AliasName" -storepass $JKSpasswd -dest imc 
	# Manual Input: [Enter Key] - keeps the certificate copy password the same as orginal PKCS12 cert password.


# Step 9: -----------------------------------------------------------------------------------------------------------------#
	# Verify the alias copy was successful 
	
	$AliasVerify = & $KeyToolCmd -list -v -keystore "$JKStoreFile" -storepass $JKSpasswd | findstr /R "\:.imc"
	$AliasVerify = $AliasVerify.Split(":")[1]
	$AliasVerify = $AliasVerify.Substring(1,$AliasVerify.Length-1)

	if ($AliasVerify -eq "imc") {
		Write-Host "Alias "$AliasName" copied successfully to imc"


# Step 10: -----------------------------------------------------------------------------------------------------------------#
		### - delete the original keystore alias entry, from newks_imc, leaving just the alias 'imc' entry.
		
		Write-Host ""
		Write-Host "********************************************************************************************************"
		Write-Host ""
		Write-Host "	Deleting $AliasName from JKS..."
		Write-Host ""
		Write-Host "********************************************************************************************************"

		& $KeyToolCmd -delete -keystore $JKStoreFile -alias "$AliasName" -storepass $JKSpasswd


# Step 11: -----------------------------------------------------------------------------------------------------------------#
		### - Verify our work: The original certificate alias entry, imported into the keystore, should be gone.
		### - Only the certificate alias 'imc' should remain in the JKS

		$AliasVerify = & $KeyToolCmd -list -v -keystore "$JKStoreFile" -storepass $JKSpasswd | findstr $AliasName

		if ($AliasVerify.Length -eq 0) {
			Write-Host ""
			Write-Host "********************************************************************************************************"
			Write-Host ""
			Write-Host "	$AliasName successfully deleted from JKS"
			Write-Host ""
			Write-Host "	!!! JKS certifcate store is ready to be imported into IMC !!!"
			Write-Host ""
			Write-Host "	Log into iMC GUI, where IMC Certificate work was performed; most likely on the IMC server."
			Write-Host "	Note: If browser will not allow HTTPS access, use http://localhost:8080"
			Write-Host ""
			Write-Host "	Open IMC and go to System–>System Configuration–>HTTPS Access Settings"
			Write-Host "	  Import $JKStoreFile using password $pkcs12passwd"
			Write-Host ""
			Write-Host "	Once installed, open the Intelligent Deployment Monitoring Agent GUI, Stop and then start IMC."
			Write-Host ""
			Write-Host "	Note: Restarting the Windows IMC services will not cause IMC to load the new certifcate."
			Write-Host ""
			Write-Host "********************************************************************************************************"
		} else {
			Write-Host ""
			Write-Host "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
			Write-Host "     NOTICE!     NOTICE!     NOTICE!     NOTICE!     NOTICE!"
			Write-Host ""
			Write-Host "	 !!! The alias delete seems to have failed !!!"
			Write-Host "	     Please review and restart the process"
			Write-Host ""
			Write-Host "          NOTICE!     NOTICE!		NOTICE!     NOTICE!"
			Write-Host "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
		}
	}
}

### !!!  Stop - do not do following steps if certificate was successfully installed via GUI !!!

### !!! Emergency Manual Certificate installation process  !!! ###
### - If GUI isn't available, due to certificate expire:
#Step 1: Open the Intelligent Deployment Monitoring Agent GUI and Stop IMC.
#Step 2: move "C:\Program Files\iMC\client\security\keystore" "C:\Program Files\iMC\client\security\keystore.backup"
#Step 3: copy /y "$JKStoreFile" "C:\Program Files\iMC\client\security\newks_imc"
#Step 4: In the Intelligent Deployment Monitoring Agent GUI and Start IMC.

A footnote to my last post...

After posting, I installed the new JKS through the IMC GUI, which I've done many times before.

I shutdown and started IMC, but the Web wouldn't come up. I tracked down the error, and found that the C:\Program Files\iMC\client\conf\server.xml file was zero bytes!  Since my IMC is a VM, I had snapshot, and just rolled it back.  The same issue occured!

I was running iMC_PLAT_7.3_E0705P10_windows, so there may be a bug, but I honestly didn't spend much (any) time looking into it.  Instead, automated the footnote remarks at the bottom of my PS script.

The additional part works thus..

1. Check to see if the process 'img' is running,  If so, throw up a warning to stop IMC, and end script.
2. If not running backup existing keystore, and any old 'new' certificate imports.
3. Move the JKS (newks_imc) to the security folder, to be processed when IMC is started

After this, IMC's GUI came up with the new cert.  I did update to 7.3_E0705P12, and tried re-installing the new cert via IMC's GUI.  I restarted, and had no issues.

So if it was a bug, perhapse it got fixed, and if just happened to be bad luck (twice) at least the script will help make the process all the more simple.

I'm posting version 1.1 with the extra instalation automation. 

Update: 1.11, fixed moving JKS across file systems, due to feedback from Racowi.

##################################################################################
## Description
## Powershell automation for importing a PKCS12 Certificate in the IMC Web UI.
##
## -------------------------------------------------------------------------------
## Author: 
## John Maier - MASE and a bunch other HPE Aruba stuff.
##
## -------------------------------------------------------------------------------
## Revision 1.00 - 2021-09-21 - Inital release
## Revision 1.10 - 2021-09-22 - Added auto JKS install if IMC isn't running.
## Revision 1.11 - 2021-10-04 - Change Rename-Item to Move-Item when installing JKS to IMC security directory. - Thanks to Racowi
## -------------------------------------------------------------------------------
## Credit, where Credit is due:
## Process taken and adapted from Webposts
## https://www.flomain.de/2014/10/how-to-imc-webserver-certificate/
## https://community.hpe.com/t5/IMC/Certificate-in-iMC/td-p/2314848#.YUozxis3laQ
## 
## -------------------------------------------------------------------------------
## Disclaimer: 
## The author make no warranty as to the fitness, or accuracy of this code.
## 
## Use freely as needed.
## If this script helps make your life easier, simply think kindly of me. :-)
## giving me a Kudo on my post is a nice way to stroke my ego too.
## -------------------------------------------------------------------------------
## Contact:
## Via Airheads or community.hpe.com  
##################################################################################

# Step 1: -----------------------------------------------------------------------------------------------------------------#
### - Obtain a new certificate from a Certificate Authority (CA) as a password protected PKCS12 file.


# Step 2: -----------------------------------------------------------------------------------------------------------------# 
# - Create a work directory, as needed.
# - directory where Certificate work will be performed i.e. C:\IMCCert\" or for *nix  ./IMCCert
$IMC_TLS_Work_Dir = "C:\IMCCert\"


# Step 3: ------- Edit ---- Edit ---- Edit ---- Edit ---- Edit ---- Edit ------- # 
# - place the PKCS12 file in work directory
# - File name of new IMC Certificate obtained from a CA
$PFX_Filename = "imc.pfx"

# - Password that was used to secure the PFX certificate export file. 
$pkcs12passwd = "ChangeMeToYourPFXpass"


# Step 4: -----------------------------------------------------------------------------------------------------------------#
# Variable setup - changes, below this point, shouldn't be needed for a typical Windows install,
# except to adapt for a customized Windows install, or for a IMC on *nix install.

# - Where IMC binary exec tools are located - 
# For Windows, typically: C:\Program Files\iMC\deploy\jdk\bin\
# for *inx, typically: /opt/iMC/deploy/jdk/bin/
$IMC_Bin_Dir = "C:\Program Files\iMC\deploy\jdk\bin\"

# - For making backups of existing files.
$revison_num = Get-Date -Format "yyyyMMddHHmm"

# - Source of new IMC Certificate obtained from a CA
$JKS_Filename = "newks_imc"

# - Password to be used to for securing the JKS 
# - Note: I typically keep the JKS (Java Key Store) password the same as the PKCS12 password, to avoid confusion, but do as you wish.
$JKSpasswd = $pkcs12passwd
 
# Full Path and name of files for Cert work.
$NewCertPFX= $IMC_TLS_Work_Dir+$PFX_Filename
$JKStoreFile=$IMC_TLS_Work_Dir+$JKS_Filename
$KeyToolCmd= $IMC_Bin_Dir+"keytool.exe"


# Step 5: -----------------------------------------------------------------------------------------------------------------#

# Test for previous JKS file and rename it, if needed.
if (Test-Path $JKStoreFile -PathType leaf) {
	$JKSBackup = $JKStoreFile+"_"+$revison_num
	Rename-Item -Path $JKStoreFile -NewName $JKSBackup
}


# Step 6: -----------------------------------------------------------------------------------------------------------------#
Write-Host ""
Write-Host "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
Write-Host "     NOTICE!     NOTICE!     NOTICE!     NOTICE!     NOTICE!"
Write-Host ""
Write-Host "	The Warnings, keytool generates, can safely be ignored."
Write-Host ""
Write-Host "          NOTICE!     NOTICE!		NOTICE!     NOTICE!"
Write-Host "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
Write-Host ""
Write-Host "**************************************************************************"
Write-Host ""
Write-Host "	Copy Certificate, private key, etc from PKCS12 formate to JKS"
Write-Host ""
Write-Host "**************************************************************************"

& $KeyToolCmd -importkeystore -srckeystore $NewCertPFX -destkeystore $JKStoreFile -srcstoretype pkcs12 -deststoretype JKS -storepass $JKSpasswd 
# Manual Input: $pkcs12passwd


# Step 7: -----------------------------------------------------------------------------------------------------------------#
### - Get Alias name of imported PKCS12 certificate and test ###

$AliasName = & $KeyToolCmd -list -v -keystore "$JKStoreFile" -storepass $JKSpasswd | findstr /B /L "Alias name"
$AliasName = $AliasName.Split(":")[1]
$AliasName = $AliasName.Substring(1,$AliasName.Length-1)

if (($AliasName.Length -eq 0) -or !(Test-Path $JKStoreFile -PathType leaf)) {
	Write-Host ""
	Write-Host "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
	Write-Host "     NOTICE!     NOTICE!     NOTICE!     NOTICE!     NOTICE!"
	Write-Host ""
	Write-Host "	 !!!  The certficate import failed  !!!"
	Write-Host "	 Please review and restart the process"
	Write-Host ""
	Write-Host "          NOTICE!     NOTICE!		NOTICE!     NOTICE!"
	Write-Host "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
} else {
	Write-Host ""
	Write-Host "********************************************************************************************************"
	Write-Host ""
	Write-Host "	The imported JKS Certificate Alias: $AliasName"
	Write-Host ""
	Write-Host "********************************************************************************************************"


# Step 8: -----------------------------------------------------------------------------------------------------------------#
	Write-Host ""
	Write-Host "********************************************************************************************************"
	Write-Host ""
	Write-Host "	Copying alias $AliasName to alias 'imc' in JKS"
	Write-Host ""
	Write-Host "********************************************************************************************************"
	
	& $KeyToolCmd -keyclone -keystore $JKStoreFile -alias "$AliasName" -storepass $JKSpasswd -dest imc 
	# Manual Input: [Enter Key] - keeps the certificate copy password the same as orginal PKCS12 cert password.


# Step 9: -----------------------------------------------------------------------------------------------------------------#
	# Verify the alias copy was successful 
	
	$AliasVerify = & $KeyToolCmd -list -v -keystore "$JKStoreFile" -storepass $JKSpasswd | findstr /R "\:.imc"
	$AliasVerify = $AliasVerify.Split(":")[1]
	$AliasVerify = $AliasVerify.Substring(1,$AliasVerify.Length-1)

	if ($AliasVerify -eq "imc") {
		Write-Host "Alias "$AliasName" copied successfully to imc"


# Step 10: -----------------------------------------------------------------------------------------------------------------#
		### - delete the original keystore alias entry, from newks_imc, leaving just the alias 'imc' entry.
		
		Write-Host ""
		Write-Host "********************************************************************************************************"
		Write-Host ""
		Write-Host "	Deleting $AliasName from JKS..."
		Write-Host ""
		Write-Host "********************************************************************************************************"

		& $KeyToolCmd -delete -keystore $JKStoreFile -alias "$AliasName" -storepass $JKSpasswd


# Step 11: -----------------------------------------------------------------------------------------------------------------#
		### - Verify our work: The original certificate alias entry, imported into the keystore, should be gone.
		### - Only the certificate alias 'imc' should remain in the JKS

		$AliasVerify = & $KeyToolCmd -list -v -keystore "$JKStoreFile" -storepass $JKSpasswd | findstr $AliasName

		if ($AliasVerify.Length -eq 0) {
			Write-Host ""
			Write-Host "********************************************************************************************************"
			Write-Host ""
			Write-Host "	$AliasName successfully deleted from JKS"
			Write-Host ""
			Write-Host "	!!! JKS certifcate store is ready to be imported into IMC !!!"
			Write-Host ""
			Write-Host "	Log into iMC GUI, where IMC Certificate work was performed; most likely on the IMC server."
			Write-Host "	Note: If browser will not allow HTTPS access, use http://localhost:8080"
			Write-Host ""
			Write-Host "	Open IMC and go to System–>System Configuration–>HTTPS Access Settings"
			Write-Host "	  Import $JKStoreFile using password $pkcs12passwd"
			Write-Host ""
			Write-Host "	Once installed, open the Intelligent Deployment Monitoring Agent GUI, Stop and then start IMC."
			Write-Host ""
			Write-Host "	Note: Restarting the Windows IMC services will not cause IMC to load the new certifcate."
			Write-Host ""
			Write-Host "********************************************************************************************************"
		} else {
			Write-Host ""
			Write-Host "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
			Write-Host "     NOTICE!     NOTICE!     NOTICE!     NOTICE!     NOTICE!"
			Write-Host ""
			Write-Host "	 !!! The alias delete seems to have failed !!!"
			Write-Host "	     Please review and restart the process"
			Write-Host ""
			Write-Host "          NOTICE!     NOTICE!		NOTICE!     NOTICE!"
			Write-Host "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
		}
	}
}


# --  Only proceed to install the new certificate if IMC is not running.
$IMC_Process_name = 'img';
$arrService = Get-Process -Name $IMC_Process_name -ErrorAction SilentlyContinue
if ($arrService.Responding -eq $True) {
	Write-Host ""
	Write-Host "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
	Write-Host "     NOTICE!     NOTICE!     NOTICE!     NOTICE!     NOTICE!"
	Write-Host ""
	Write-Host "                   !!! IMC is still running. !!!"
	Write-Host "    Before proceeding to install the new cert: "
	Write-Host "  Open the Intelligent Deployment Monitoring Agent GUI and Stop IMC."
	Write-Host "  Once IMC has stopped, then re-run this to install the new Cert."
	Write-Host ""
	Write-Host "          NOTICE!     NOTICE!		NOTICE!     NOTICE!"
	Write-Host "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
} else {
	$IMC_Security_Dir = "C:\Program Files\iMC\client\security\"

# -- Backup of IMC's keystore file.
	$IMCStoreFile=$IMC_Security_Dir+"keystore"
	if (Test-Path $JKStoreFile -PathType leaf) {
		$IMCStoreBackup = $IMCStoreFile+"_"+$revison_num
		Rename-Item -Path $IMCStoreFile -NewName $IMCStoreBackup
	}

# -- backup any old 'new' certificate work from the past.
	$IMCNewKeyFile=$IMC_Security_Dir+$JKS_Filename
	if (Test-Path $IMCNewKeyFile -PathType leaf) {
		$IMCNewKeyBackup = $IMCNewKeyFile+"_"+$revison_num
		Rename-Item -Path $IMCNewKeyFile -NewName $IMCNewKeyBackup
	}
# - Move the JKS work file to the IMC security folder to be processed when IMC starts.
	Move-Item -Path  $JKStoreFile $IMCNewKeyFile

	if (Test-Path $IMCNewKeyFile -PathType leaf) {
		Write-Host ""
		Write-Host "********************************************************************************************************"
		Write-Host ""
		Write-Host "	The New Key Certificate has bee succesfully moved to IMC. "
		Write-Host "    IMC is ready to be started, to apply the new certificate."
		Write-Host ""
		Write-Host "********************************************************************************************************"
	}

}

It works for me. Good Job!!
It is a nice script. Thanks.

I had to change the last Rename-Item (moving work file part) to 

Move-Item -Path  $JKStoreFile $IMCNewKeyFile

Thanks again.

That is great to hear!   

Also, good point on the Move vs Rename, especially if the work directory, is on a different drive than than the IMC security folder.
Regardless, Move-Item really does make more sense. 

Thanks for the feed-back, and suppling a resolution!