How to install an SSL certificate in ADManager Plus ?

How to install an SSL certificate in ADManager Plus ?

Objective: To install SSL certificate in ADManager Plus

Solution: Steps to apply an SSL certificate in ADManager Plus

  1. Enable SSL in the ADManager Plus client.

  2. Create a Certificate Signing Request (CSR).

  3. Issue the SSL certificate.

  4. Associate the certificate with ADManager Plus.

  • Step 1: Enable SSL in the ADManager Plus client  

  1. Logon to ADManager Plus, navigate to the Admin tab and click the Connection section.

  2. Check the Enable SSL option. The port number 8443 is selected automatically.

  3. Click Save Changes and restart the product for the changes to take effect.

  • Step 2: Create a Certificate Signing Request (CSR)  

  1. Stop ADManager Plus

    • If the product runs as an application, click Start > All Programs > ADManager Plus > Stop ADManager Plus.

    • If the product runs as a Windows service, click Start > Run. Type services.msc and stop ManageEngine ADManager Plus.

  1. Open command prompt and browse to the <installation_directory>\ManageEngine\ADManager Plus\jre\bin path.

  2. Execute the following command to create a Keystore.

keytool -genkey -alias tomcat -keypass <your key password> -keyalg RSA -validity 1000 -keystore <domainName> .keystore

Replace <your key password> with a password of your choice. Replace the <domainName> with the name of your domain.

  1. Type in your keystore password. To avoid any confusion, try giving the same password as your keypass.

  2. You will be prompted to answer the following questions:

Sr. No.

Question

Answer

1.

What is your first name and last name?

Enter the NetBIOS or FQDN of the server in which ADManager Plus is configured.

2.

What is the name of your Organizational Unit?

Enter the name of the OU of your choice.

3.

What is the name of your Organization?

Provide the legal name of your organization.

4.

What is the name of your City or Locality?

Enter the City or Locality name as provided in your organization's registered address.

5.

What is the name of your State or Province?

Enter the name of your State or Province as provided in your organization's registered address.

6.

What is the two-letter country code for this unit?

Provide the two-letter code of the country your organization is located in.

  1. In the same path, execute the following command to create a CSR with Subject Alternative Name (SAN).

keytool -certreq -alias tomcat -keyalg RSA -ext SAN=dns:server_name,dns:server_name.domain.com,dns:server_name.domain1.com -keystore <domainName>.keystore -file <domainName>.csr

Replace the <domainName> with the name of your domain and provide the appropriate Subject Alternatives Names.

  • Step 3: Issue the SSL certificate  

A. Issue the SSL certificate using an internal CA.

An internal CA is a member server or domain controller in a specific domain, that has been assigned the role of a CA.

  1. Connect to the Microsoft Certificate Services of your internal CA and click on the Request a certificate link.

  1. Click on Advanced certificate request and select the Submit a certificate by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file option.

  1. Copy the content from your .csr file and paste it under the Saved Request field.

  2. Select the Web Server as the Certificate Template and click Submit.

  1. Click the Download Certificate Chain link to download the issued PKCS #7 Certificates types. The downloaded certificate will be of the p7b file format.

  2. Copy and paste this .p7b file at the <installation_directory>\ManageEngine\ADManager Plus/ jre/bin location.

  3. Return to the Microsoft Certificate Services and click the Home link at the top-right corner of the page.

  4. Select the Download a CA certificate, chain certificate or CRL link to download the CA root certificate. `

  5. Click the Download CA certificate link to download and save the root certificate that is in the .cer format.

  6. Copy and paste the .cer file at the <installation_directory>\ManageEngine\ADManager Plus\jre\bin location.

  7. Open command prompt, browse to the <installation_directory>\ManageEngine\ADManager Plus\ jre\bin path and execute the following query to import the internal CA certificate into the .keystore file.

Keytool -import -trustcacerts -alias tomcat -file certnew.p7b -keystore <keystore_name>.keystore

Replace the <keystore_name> with the name of your keystore.

  1. In the same path, execute the following query to add the internal CA's root certificate to the list of trusted CAs in the Java cacerts file.

keytool -import -alias <internal CA_name> -keystore ..\lib\security\cacerts -file certnew.cer

Note: Open the .cer file to get the name of your internal CA. When prompted, provide changeit as the keystore password.

B. Issue the SSL certificate using external CAs.

  1. To request a certificate from an external CA, submit the CSR to that CA.

  2. Unzip the certificates returned by your CA and place them in the <installation_directory>/ManageEngine/ADManager Plus/jre/bin folder

  3. Open the command prompt and navigate to the <installation_directory>/ManageEngine/ADManager Plus/jre/bin folder

  4. Run the respective commands from the given list as applicable to your CA:

    1. For GoDaddy certificates

      1. keytool -import -alias root -keystore <domainname>.keystore -trustcacerts -file gdrootg2.crt

      2. keytool -import -alias cross -keystore <domainname>.keystore -trustcacerts -file gdrootg2_cross.crt

      3. keytool -import -alias intermed -keystore <domainname>.keystore -trustcacerts -file gdig2.crt

For further reference, please click here.

    1. For Verisign certificates

      1. keytool -import -alias intermediateCA -keystore <domainName>.keystore -trustcacerts -file <your intermediate certificate.cer>

      2. keytool -import -alias tomcat -keystore <domainName>.keystore -trustcacerts file admanager.cer

    2. For Sectigo (previously known as Comodo CA) certificates

      1. keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore <domainName>.keystore

      2. keytool -import -trustcacerts -alias addtrust -file UTNAddTrustServerCA.crt -keystore <domainName>.keystore

      3. keytool -import -trustcacerts -alias ComodoUTNServer -file ComodoUTNServerCA.crt - keystore <domainName>.keystore

      4. keytool -import -trustcacerts -alias essentialSSL -file essentialSSLCA.crt -keystore <domainName>.keystore

For further reference, please click here.

    1. For Entrust certificates

      1. keytool -import -alias Entrust_L1C -keystore <keystore-name.keystore> -trustcacerts file entrust_root.cer

      2. keytool -import -alias Entrust_2048_chain -keystore <keystore-name.keystore> - trustcacerts -file entrust_2048_ssl.cer

      3. keytool -import -alias -keystore <keystore-name.keystore> -trustcacerts -file <domain-name.cer>

For further reference, please click here. 

    1. For Thawte certificates

  • Purchased directly from Thawte:

      1. keytool -import -trustcacerts -alias tomcat -file <certificate-name.p7b> -keystore <keystore-name.keystore>

  • Purchased through the Thawte reseller channel:

      1. keytool -import -trustcacerts -alias thawteca -file <SSL_PrimaryCA.cer> -keystore <keystore-name.keystore>

      2. keytool -import -trustcacerts -alias thawtecasec -file <SSL_SecondaryCA.cer> - keystore <keystore-name.keystore>

      3. keytool -import -trustcacerts -alias tomcat -file <certificate-name.cer> -keystore <keystore-name.keystore>

Note: If you use an external CA which is not in the aforementioned list, please contact your CA for the required commands.

  • Step 4: Associate your SSL certificate with ADManager Plus

  1. Copy the .keystore file from the <installation_directory>\ManageEngine\ADManager Plus\jre\bin location and paste it at the <installation_directory>\ManageEngine\ADManager Plus\conf location.

  2. At the <installation_directory>\ManageEngine\ADManager Plus\conf location, locate the server.xml file and take a backup of that file.

  3. Open the server.xml file using an editor and navigate to the last connector tag.

  4. Replace the value of the keystore file with the location of your keystore ('./conf/<keystore_name>.keystore).

  5. Replace the value of the keystorePass with the password given during keystore creation.

  6. Save the server.xml file and start ADManager Plus

    • If the product runs as an application, click Start → All Programs → ADManager Plus → Start ADManager Plus.

    • If the product runs as a Windows service, click Start > ADManager Plus > Install ADMP Service.

  1. Once the ADManager Plus service has started, launch the ADManager Plus client.

Click here to download a guide on how to install an SSL certificate in ADManager Plus. Use this video to view how an SSL certificate can be installed in ADManager Plus using an internal Certification Authority (CA).

                  New to ADSelfService Plus?

                    • Related Articles

                    • Does ADManager Plus support LDAP SSL

                      Yes, ADManager Plus supports LDAP SSL protocol. You can configure it by following these steps, Navigate to the Admin tab. Under General Settings, click Connection. Enter the Port number. Select the Enable LDAP SSL for option to use LDAPS to connect ...
                    • How to integrate ADManager Plus with ServiceDesk Plus

                      The ADManager Plus-SeviceDesk Plus integration allows administrators to perform Active Directory management operations directly from the ServiceDesk Plus console. Using the ServiceDesk Plus console, administrators or help desk technicians can perform ...
                    • How to integrate ADManager Plus with ServiceDesk Plus?

                      Objective: To integrate ADManager Plus with ServiceDesk Plus Solution: The ADManager Plus-ServiceDesk Plus integration allows administrators to perform Active Directory management operations directly from the ServiceDesk Plus console. Using the ...
                    • How to install ADManager Plus in AWS

                      Steps to install ADManager Plus in Amazon Web Services EC2 instance: Logon to your Amazon Web Services (AWS) account. Select the configured EC2 instance and click the connect button. Connect to your Windows instance using: RDP client by downloading ...
                    • How to integrate ADManager Plus with Splunk

                      This integration empowers you to forward logs from ADManager Plus to your Splunk server for detailed auditing. Steps to configure Splunk server settings in ADManager Plus : Log in to ADManager Plus and navigate to the Admin tab. Under System ...