How to install an SSL certificate in ADManager Plus ?
Objective: To install SSL certificate in ADManager Plus
Solution: Steps to apply an SSL certificate in ADManager Plus
Enable SSL in the ADManager Plus client.
Create a Certificate Signing Request (CSR).
Issue the SSL certificate.
Associate the certificate with ADManager Plus.
Step 1: Enable SSL in the ADManager Plus client
Logon to ADManager Plus, navigate to the Admin tab and click the Connection section.
Check the Enable SSL option. The port number 8443 is selected automatically.
Click Save Changes and restart the product for the changes to take effect.
Step 2: Create a Certificate Signing Request (CSR)
Stop ADManager Plus
If the product runs as an application, click Start > All Programs > ADManager Plus > Stop ADManager Plus.
If the product runs as a Windows service, click Start > Run. Type services.msc and stop ManageEngine ADManager Plus.
Open command prompt and browse to the <installation_directory>\ManageEngine\ADManager Plus\jre\bin path.
Execute the following command to create a Keystore.
keytool -genkey -alias tomcat -keypass <your key password> -keyalg RSA -validity 1000 -keystore <domainName> .keystore
Replace <your key password> with a password of your choice. Replace the <domainName> with the name of your domain.
Type in your keystore password. To avoid any confusion, try giving the same password as your keypass.
You will be prompted to answer the following questions:
Sr. No. | Question | Answer |
1. | What is your first name and last name? | Enter the NetBIOS or FQDN of the server in which ADManager Plus is configured. |
2. | What is the name of your Organizational Unit? | Enter the name of the OU of your choice. |
3. | What is the name of your Organization? | Provide the legal name of your organization. |
4. | What is the name of your City or Locality? | Enter the City or Locality name as provided in your organization's registered address. |
5. | What is the name of your State or Province? | Enter the name of your State or Province as provided in your organization's registered address. |
6. | What is the two-letter country code for this unit? | Provide the two-letter code of the country your organization is located in. |
In the same path, execute the following command to create a CSR with Subject Alternative Name (SAN).
keytool -certreq -alias tomcat -keyalg RSA -ext SAN=dns:server_name,dns:server_name.domain.com,dns:server_name.domain1.com -keystore <domainName>.keystore -file <domainName>.csr
Replace the <domainName> with the name of your domain and provide the appropriate Subject Alternatives Names.
Step 3: Issue the SSL certificate
A. Issue the SSL certificate using an internal CA.
An internal CA is a member server or domain controller in a specific domain, that has been assigned the role of a CA.
Connect to the Microsoft Certificate Services of your internal CA and click on the Request a certificate link.
Click on Advanced certificate request and select the Submit a certificate by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file option.
Copy the content from your .csr file and paste it under the Saved Request field.
Select the Web Server as the Certificate Template and click Submit.
Click the Download Certificate Chain link to download the issued PKCS #7 Certificates types. The downloaded certificate will be of the p7b file format.
Copy and paste this .p7b file at the <installation_directory>\ManageEngine\ADManager Plus/ jre/bin location.
Return to the Microsoft Certificate Services and click the Home link at the top-right corner of the page.
Select the Download a CA certificate, chain certificate or CRL link to download the CA root certificate. `
Click the Download CA certificate link to download and save the root certificate that is in the .cer format.
Copy and paste the .cer file at the <installation_directory>\ManageEngine\ADManager Plus\jre\bin location.
Open command prompt, browse to the <installation_directory>\ManageEngine\ADManager Plus\ jre\bin path and execute the following query to import the internal CA certificate into the .keystore file.
Keytool -import -trustcacerts -alias tomcat -file certnew.p7b -keystore <keystore_name>.keystore
Replace the <keystore_name> with the name of your keystore.
In the same path, execute the following query to add the internal CA's root certificate to the list of trusted CAs in the Java cacerts file.
keytool -import -alias <internal CA_name> -keystore ..\lib\security\cacerts -file certnew.cer
Note: Open the .cer file to get the name of your internal CA. When prompted, provide changeit as the keystore password.
B. Issue the SSL certificate using external CAs.
To request a certificate from an external CA, submit the CSR to that CA.
Unzip the certificates returned by your CA and place them in the <installation_directory>/ManageEngine/ADManager Plus/jre/bin folder
Open the command prompt and navigate to the <installation_directory>/ManageEngine/ADManager Plus/jre/bin folder
Run the respective commands from the given list as applicable to your CA:
For GoDaddy certificates
keytool -import -alias root -keystore <domainname>.keystore -trustcacerts -file gdrootg2.crt
keytool -import -alias cross -keystore <domainname>.keystore -trustcacerts -file gdrootg2_cross.crt
keytool -import -alias intermed -keystore <domainname>.keystore -trustcacerts -file gdig2.crt
For further reference, please click here.
For Verisign certificates
keytool -import -alias intermediateCA -keystore <domainName>.keystore -trustcacerts -file <your intermediate certificate.cer>
keytool -import -alias tomcat -keystore <domainName>.keystore -trustcacerts file admanager.cer
For Sectigo (previously known as Comodo CA) certificates
keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore <domainName>.keystore
keytool -import -trustcacerts -alias addtrust -file UTNAddTrustServerCA.crt -keystore <domainName>.keystore
keytool -import -trustcacerts -alias ComodoUTNServer -file ComodoUTNServerCA.crt - keystore <domainName>.keystore
keytool -import -trustcacerts -alias essentialSSL -file essentialSSLCA.crt -keystore <domainName>.keystore
For further reference, please click here.
For Entrust certificates
keytool -import -alias Entrust_L1C -keystore <keystore-name.keystore> -trustcacerts file entrust_root.cer
keytool -import -alias Entrust_2048_chain -keystore <keystore-name.keystore> - trustcacerts -file entrust_2048_ssl.cer
keytool -import -alias -keystore <keystore-name.keystore> -trustcacerts -file <domain-name.cer>
For further reference, please click here.
For Thawte certificates
Purchased directly from Thawte:
keytool -import -trustcacerts -alias tomcat -file <certificate-name.p7b> -keystore <keystore-name.keystore>
Purchased through the Thawte reseller channel:
keytool -import -trustcacerts -alias thawteca -file <SSL_PrimaryCA.cer> -keystore <keystore-name.keystore>
keytool -import -trustcacerts -alias thawtecasec -file <SSL_SecondaryCA.cer> - keystore <keystore-name.keystore>
keytool -import -trustcacerts -alias tomcat -file <certificate-name.cer> -keystore <keystore-name.keystore>
Note: If you use an external CA which is not in the aforementioned list, please contact your CA for the required commands.
Step 4: Associate your SSL certificate with ADManager Plus
Copy the .keystore file from the <installation_directory>\ManageEngine\ADManager Plus\jre\bin location and paste it at the <installation_directory>\ManageEngine\ADManager Plus\conf location.
At the <installation_directory>\ManageEngine\ADManager Plus\conf location, locate the server.xml file and take a backup of that file.
Open the server.xml file using an editor and navigate to the last connector tag.
Replace the value of the keystore file with the location of your keystore ('./conf/<keystore_name>.keystore).
Replace the value of the keystorePass with the password given during keystore creation.
Save the server.xml file and start ADManager Plus
If the product runs as an application, click Start → All Programs → ADManager Plus → Start ADManager Plus.
If the product runs as a Windows service, click Start > ADManager Plus > Install ADMP Service.
Once the ADManager Plus service has started, launch the ADManager Plus client.
New to ADSelfService Plus?
Related Articles
How to integrate ADManager Plus with ServiceDesk Plus?
Objective: To integrate ADManager Plus with ServiceDesk Plus Solution: The ADManager Plus-ServiceDesk Plus integration allows administrators to perform Active Directory management operations directly from the ServiceDesk Plus console. Using the ...Generating an SSL Certificate using Internal CA
This article will list the steps you will need to follow to generate an SSL certificate using Internal CA. Log in to the product as an administrator and navigate to Admin tab > General Settings > Connection. Click the SSL Certificate Tool link in the ...How to integrate ADManager Plus with ServiceDesk Plus
The ADManager Plus-SeviceDesk Plus integration allows administrators to perform Active Directory management operations directly from the ServiceDesk Plus console. Using the ServiceDesk Plus console, administrators or help desk technicians can perform ...Does ADManager Plus support LDAP SSL
Yes, ADManager Plus supports LDAP SSL protocol. You can configure it by following these steps, Navigate to the Admin tab. Under General Settings, click Connection. Enter the Port number. Select the Enable LDAP SSL for option to use LDAPS to connect ...SSL certificate error: The certificate does not have a private key installed.
Error : SSL certificate error: The certificate does not have a private key installed. Possible Causes : 1. If the private key is missing, it could mean that the SSL certificate is not installed on the same server which generated the Certificate ...