PMP SSL Certificate

Configure SSL Certificate by generating the keystore and CSR using the keytool utility.

The Keytool executable is available under <PMP-Installation-Directory>/jre/bin folder.  So you can open a command prompt, navigate to PMP Installation Directory in command prompt and execute the below commands.  You need not have Java installed for this.

The first set of instructions contains steps to configure SSL Certificate directly.  But, if you would like to have an alias for the Password Manager Pro URL instead of connecting to the web console using the hostname of the server, the second set of instructions will help you out.
1) Find the below steps for configuring the SSL certificate with example commands. For the step 3, you will submit the CSR to a third party signing authority or get the certificate signed using your internal CA sign tool. 

Step 1: keytool -genkey -alias pmp -keyalg RSA -keypass Password123 -storepass Password123 -validity 365 -keysize 2048 -keystore PMP.keystore
(Should enter the hostname or alias using which you access the actual PMP web console when it asks you for first name and last name)
Step 2: keytool -certreq -keyalg RSA -alias pmp -keypass Password123 -storepass Password123 -file PMP.CSR -keystore PMP.keystore
Step 3: You will submit the CSR to a third party signing authority or get the certificate signed using you internal CA sign tool. If it is your internal CA signing tool, please follow the below mentioned steps. Before performing the below steps refer the instruction 2 below.
  • Request advanced certificate
  • Submit a certificate request
  • Copy and paste content of <csr_filename> file
  • Certificate template should be Web Server
  • Download the certificate chain in base64 format as PMPcert.p7b
Step 4: keytool -import -alias pmp -keypass Password123 -storepass Password123 -keystore PMP.keystore -trustcacerts -file PMPcert.p7b
Step 5: Copy the PMP.keystore from PMP\jre\bin  to PMP\Conf folder.
Step 6: Go to <PMP_Home>/conf folder
Step 7: Open the file server.xml
Step 8: Search for the entry 'keystoreFile', which will have the default value set to "conf/server.keystore". Change the value to "conf/<keystore_filename>" where <keystore_filename> is the one used in the previous steps
Step 9:Also search for the entry 'keystorePass' (which will infact be next to keystoreFile), which will have the default value set to "passtrix". Change the value to "<keystore_password>" where <keystore_password> is the one used in the previous steps
Step 10: Restart the PMP server and connect through the web browser. If you are able to view the PMP login console without any warning from the browser, you have successfully installed your SSL certificate in PMP!

2) To configure the Keystore for both host name and Alias, you can add the alias as subject alternative name. To have both Hostname and CNAME to work, you need to create a server certificate with SubjectAlternativeName. 
Please follow the steps below to create server certificate with SubjectAlternativeName using Microsoft Internal CA:
  • Connect to the server where Microsoft Certificate Service is running
  • Open a command prompt and execute certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
  • Then, restart Microsoft Certificate Service(certsvc)
  • Create the private key using the below command,
keytool -genkey -alias pmp -keyalg RSA -keypass <privatekey_password> -storepass <keystore_password> -validity <no_of days> -keystore pmp.keystore
  • Create the Certificate Signing Request(CSR) using the below command:
keytool -certreq -keyalg RSA -alias pmp -keypass <privatekey_password> -storepass <keystore_password> -file <csr_filename> -keystore pmp.keystore
  • Submit CSR request to Microsoft Internal CA 
- Open IE and go to your CA's certificate request page
- Request advanced certificate
- Submit a certificate request
- Copy and paste content of <csr_filename> file
- Certificate template should be 
Web Server
- In "Additional Attributes", enter san:dns=passwordmanager&dns=passwordmanager.tcu.ad.local and click submit
- Download the certificate chain in 
base64 format as pmpcert.p7b
  • Import the downloaded pmpcert.p7b file into the pmp.keystore
keytool -import -alias pmp -keypass <privatekey_password> -storepass <keystore_password> -keystore pmp.keystore -trustcacerts -file pmpcert.p7b

Step 6: Go to <PMP_Home>/conf folder
Step 7: Open the file server.xml
Step 8: Search for the entry 'keystoreFile', which will have the default value set to "conf/server.keystore". Change the value to "conf/<keystore_filename>" where <keystore_filename> is the one used in the previous steps
Step 9:Also search for the entry 'keystorePass' (which will infact be next to keystoreFile), which will have the default value set to "passtrix". Change the value to "<keystore_password>" where <keystore_password> is the one used in the previous steps
Step 10: Restart the PMP server and connect through the web browser. If you are able to view the PMP login console without any warning from the browser, you have successfully installed your SSL certificate in PMP!


                  New to ADSelfService Plus?