Overview of Certificate Management Using the SAS Deployment Manager

Starting in the third maintenance release of SAS 9.4, a bundle of root digital certificates is provided to get TLS up and working at SAS installation. SAS provides a bundle of certificates from Mozilla that can be used as the default trust provider when you are setting up protocols such as TLS. When providing your own signed certificates, you must add the CA root and intermediate certificates to the trusted CA bundle using the SAS Deployment Manager. See Add Your Certificates to the Trusted CA Bundle.
You will also need to add your self-signed certificates to the trusted CA bundle.
Note: In the second maintenance release for SAS 9.4 and earlier, when providing your own signed certificates, you must add the CA root and intermediate certificates to the SAS Private JRE using the Java keytool -importcert command. See Add Your Certificates to the SAS Private JRE.
Note: Regardless of your release of SAS 9.4, on Windows, when providing your own signed certificates, you must add the CA root and intermediate certificates to the Windows certificates stores using the Windows Certificates Snap-in. See Add Your Certificates to the Windows CA Stores.
The Mozilla bundle of CA certificates (root certificates) is used to create two new files, the trustedcerts.pem file and the trustedcerts.jks file (used by Java apps). Initially, these files contain only a list of root certificates that have been approved by Mozilla for inclusion in Network Security Services (NSS). These files are updated each time the SAS Deployment Manager add and remove certificates tasks are performed.
For additional information about the Mozilla Bundle of Certificates, see Mozilla CA Certificate Store. The current list of included root certificates can be found at Mozilla Included CA Certificate List.
When you use the SAS Deployment Manager task to add custom CA certificates, your certificates are added to the trustedcerts.pem and trustedcerts.jks files. The trustedcerts.jks is copied to the jssecacerts file in the SAS Private JRE on Windows and UNIX hosts. After you add files using the SAS Deployment Manager, the three files contain the CA certificates redistributed by SAS from Mozilla as well as the certificates that you just added. The same process occurs when the SAS Deployment Manager task to used to remove the same custom CA certificates. The three files are regenerated. All three files (trustedcerts.pem, trustedcerts.jks, and jssecacerts) are kept in sync using the SAS Deployment Manager tasks. Refer to the SAS Deployment Wizard and SAS Deployment Manager 9.4: User's Guide for a detailed discussion of these files and the tasks to add and remove certificates.
When the initial installation of SAS Software is complete on UNIX and z/OS platforms, the SSLCALISTLOC option is set by default to point to the trustedcerts.pem file.
Note: THE SSLCALISTLOC option should not be overridden or changed unless directed by technical support. In addition, the trustedcerts.pem file should not be altered by any means other than by using the new SAS Deployment Manager add and remove certificate tasks. If the file is changed by another means, the provided trusted CA bundle might not be supported and maintenance of those changes is not guaranteed.
CAUTION:
Do not remove any of the CA certificates that were initially included as part of the Mozilla CA Bundle.