How can I generate and import certificates into AppManager?

How can I generate and import certificates into AppManager?

From v14260 : Option to create Certificate Signing Request (CSR) and import SSL certificate to Applications Manager are introduced in UI. Please refer Manage Certificates for detailed steps.

Steps for Applications Manager below v14260 : 

1. Open the command prompt using 'Run as administrator' option and navigate to the AppManager installation directory.
2. Generating keystore file:
      Note: You need to replace AppManager_Home with actual directory path where AppManager is installed.
      a) Take backup of the appmanager.keystore file located under AppManager_Home\working\apache\tomcat\ and the server.xml file located  under AppManager_Home\working\apache\tomcat\conf.
      b) Execute the following command and provide requested details to create appmanager.keystore file under same folder.
            AppManager_Home\working\jre\bin>keytool.exe -v -genkey -keyalg RSA -keystore              AppManager_Home\working\apache\tomcat\appmanager.keystore -alias appmanager -ext san=dns:<fqdn>
             (Press Enter)
            Note :  Replace <fqdn> with the fully qualified domain name for which the certificate is being issued.
            Enter keystore password:(Enter a password, of at least 6 characters length, for the keystore. Ex: appmanager. Press Enter)
            What is your first and last name?
            [Unknown]: (Enter the Server's name in which AppManager is running. It must be a FQDN [Fully Qualified Domain Name] Ex.:    Press Enter.)
            What is the name of your organizational unit?
            [Unknown]: (Name of your Organizational Unit. Ex: SYSADMIN. Press Enter.)
            What is the name of your organization?
            [Unknown]: (Your Organization Name. Ex:Zoho Corp. Press Enter.)
            What is the name of your City or Locality?
            [Unknown]: (Your city name. Ex:Pleasanton. Press Enter.)
            What is the name of your State or Province?
            [Unknown]: (Your state name. Ex:California. Press Enter.)
            What is the two-letter country code for this unit?
            [Unknown]: (Your country's two letter code. Ex:US. Press Enter.)
            Is, OU=SYSADMIN, O=Zoho Corp, L=Pleasanton,
            ST=California, C=US correct?
            [no]: (Check the details and if it is correct type yes and press enter. If else just press Enter to
            Generating 1,024 bit RSA key pair and self-signed certificate (MD5WithRSA)
            for, OU=SYSADMIN, O=Zoho Corp, L=Pleasanton,
            ST=California, C=US
            Enter key password for <appmanager>
            (RETURN if same as keystore password): (Just press enter. For tomcat both keystore
            password and key [alias] password must be the same)
            [Storing AppManager_Home\working\apache\tomcat\appmanager.keystore]
3. Generating CSR File (Certificate Signing Request):
      Execute the following commands to create the  appmanager.csr file under conf folder.
      AppManager_Home\working\jre\bin>keytool.exe -v -certreq -file AppManager_Home\working\apache\tomcat\conf\appmanager.csr -keystore       AppManager_Home\working\apache\tomcat\appmanager.keystore -alias appmanager  -ext san=dns:<fqdn>

      Note : Replace <fqdn> with the fully qualified domain name for which the certificate is being issued.
      Enter keystore password: (Enter the password for the keystore file)
      Certification request stored in file <AppManager_Home\working\apache\tomcat\appmanager.csr>
      Submit this to your CA
4. Getting certificates from CA (Certification Authority):
      Contact a CA like Verisign, Equifax, with the CSR file generated in the previous step to get the SSL certificate. Mostly you have to copy and paste the content of the CSR file in a text area in their website. In general, after verifying your request, the CA will send the certificate content via mail. Copy and paste the content in a text editor and save it as "ServerCert.cer" under AppManager_Home\working\apache\tomcat\ folder.
      While performing the copy-paste, ensure that no extra spaces are added at the end of lines.
5. Importing root and intermediate certificates:
      Before importing our certificate, we have to import the CA's root and intermediate certificates into the keystore file we generated in Step 2. While mailing you the certificate, CA's will also mention the link to their root and intermediate certificates. Save them under conf directory using the names "CARoot.cer" and "CAIntermediate.cer" respectively. Some CAs may have two or more intermediate certificates. Refer their document before importing.
To import root certificate:
      AppManager_Home\working\jre\bin>keytool.exe -import -trustcacerts -file AppManager_Home\working\apache\tomcat\conf\CARoot.cer -keystore
      AppManager_Home\working\apache\tomcat\appmanager.keystore -alias CARootCert
      Enter keystore password: (Enter the keystore password)
      (Root Certificate's information will be printed)
      Trust this certificate? [no]: (type yes and press enter if it is the certificate of your CA)
      Certificate was added to keystore
To import Intermediate certificate:
      AppManager_Home\working\jre\bin>keytool.exe -import -trustcacerts -file AppManager_Home\working\apache\tomcat\conf\CAIntermediate.cer -keystore AppManager_Home\working\apache\tomcat\appmanager.keystore -alias CAInterCert
      Enter keystore password: (Enter the keystore password)
      Certificate was added to keystore
6. Importing Server's Certificate:
      Execute the following command to add the certificate received from CA to the keystore file.
      AppManager_Home\working\jre\bin>keytool.exe -import -trustcacerts -file ..working\apache\tomcat\ServerCert.cer -keystore
      AppManager_Home\working\apache\tomcat\appmanager.keystore -alias appmanager
      Enter keystore password: (Enter the keystore password)
      Certificate reply was installed in keystore
7. Configuring Tomcat:
      If your keystore file name is same as default one (appmanager.keystore) and password is appmanager, you can go to next step.
      If your keystore file name is different, then mention that filename with absolute path instead of "KEYSTORE_FILE" in AppManager_Home\working\apache\tomcat\conf\backup\server.xml file. Change the value for keystorePass and truststorePass with your keystore file password, instead of the default placeholder "appmanager".
8. Restart AppManager server.


  • Backup the server.xml file and 'appmanager.keystore' files before making changes and restart Applications Manager after making the changes.
  • If you are using Microsoft CA  , ensure that you do the certificate request using base64 encoded PKCS #10 file or a base64 encoded PKCS #7 file.
  • If you are using a .pfx or .p12 file as your keystore then you have to add keystoreType="PKCS12" truststoreType="PKCS12"additionally in the server.xml file mentioned above
  • If you are using 2048 bit private key in the new SSL certificate , then additionally download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle website and copy them in AppManager installation. 
  • Use the same keystore file & password in both Admin server and the Managed servers. (Ignore this step if you use Professional edition, it's for Enterprise edition)


      New to ADManager Plus?

        New to ADSelfService Plus?