Architecting, installing and maintaining your SAS environment

Best practices for unattended deployment of certificates

Trusted Advisor
Posts: 1,758

Best practices for unattended deployment of certificates

Hi all,


I am feeling very curious and interested on the best practices and procedures you follow, in order to automate the deployment of certificates to the client side (windows) on an unattended and secure way, with the following specifics:


- Automated "download"/export of the complete tree of certificates from your SAS Web Server or a reverse proxy.

- Automated install/import those certificates for the SAS Web Applications (web browser), the desktop SAS applications (Private JREs) and the Java web applications as SAS Enterprise Miner Java Web Start (Public/System JREs)


Looking forward to reading your proposals and pin-points to documentation!


Thanks in advance Smiley Happy


Best regards,


SAS Employee
Posts: 112

Re: Best practices for unattended deployment of certificates

Posted in reply to JuanS_OCS

Starting with 9.4M3, SAS ships an open source trusted Certificate Authority (CA) bundle and allows users to add site-signed or third-party signed certificates to it.  All applications with the exception of Java Web Start (JWS) applications use this trusted CA bundle.  This is done by default by the SAS Deployment Wizard, or as a post-deployment step via the SAS Deployment Manager.  JWS applications leverage user-supplied JREs, and SAS does not automate certificate management for them.  Users can copy the aforementioned certificate bundle (trustedcerts.jks) from a SAS machine which hosts one of the aforementioned applications into their JRE's lib/security directory with the name of jssecacerts, and the JWS applications will use it.


For more information on certificate management, you can consult the "Setting up Cetificates for SAS Deployment" in the SAS 9.4 Intelligence Platform: Installation and ....

Trusted Advisor
Posts: 1,758

Re: Best practices for unattended deployment of certificates

Hi @Mark_sas,


thanks a lot for your feedback, very appreciated.


I personally think that the SAS software is starting to create a medium to create procedures and best practices regarding the certificates. I am using what you describe here for several months and it makes the life much easier. 


While we wait for additional progress and developments in this area, we still need to have some additional procedures for the certificates. Specially, the ones for JWS applications, which are being executed by the System/User JREs and not the Private JRE.


As this are he system/user JRE, I personally see dangerous to copy/paste the certificate stores, because you can lose all the others company/application certificates that are not SAS related. Besides, a computer can have several system and user JREs/JDKs versions. That actually the main reason because I am asking for best practices,procedures, best commands to execute this on an easy and procedural way.


Is there anything else as an addition to the information you mentioned?

Ask a Question
Discussion stats
  • 2 replies
  • 2 in conversation