How to install self-signed certificates?

How to install self-signed certificates?

Summary

This article will guide you through the process of applying a self-signed (Internal CA) SSL certificate in ADSelfService Plus.

Configuration steps

Step 1: Enable HTTPS in ADSelfService Plus

enable-https-in-adselfservice-plus

  1. Log in to ADSelfService Plus with admin credentials.
  2. Navigate to Admin → Product Settings → Connection.
  3. Check the Enable SSL Port [https] box
  4. Click Save.

Step 2: Generate CSR

Note: If you already have an SSL certificate, skip to Step 4.
      1. Click the SSL Certification Tool button.
How to install existing PFX Certificate
      2. Click Generate Certificate and fill in all the necessary fields. Refer to the table below:
       
Common nameThe name of the server in which ADSelfService Plus is running.
SAN NameThe names of the additional hosts (sites, IP addresses, etc.) to be protected by the SSL certificate.
Organizational UnitThe department name that you want to appear in the certificate.
OrganizationThe legal name of your organization.
CityThe city name as provided in your organization’s registered address.
State/ProvinceThe state/province as provided in your organization’s registered address.
Country CodeThe two-letter code of the country in which your organization is located.
PasswordA password must be at least six characters. The more complex the password, the better the security.
Validity (In days)The number of days the certificate should be valid. If no value is provided, it will be set to 90 days.
Public Key Length (In bits)The public key length. The larger the size, the stronger the key. The default size is 1024 bits and can be incremented only in multiples of 64.

How to install existing PFX Certificate      3. Once you’ve entered all the details, click the Generate CSR button.

Step 3: Submit the generated CSR file to your Certification Authority

  1. When you click the Generate CSR button, two files—SelfService.csr and SelfService.keystore—will be generated.
  2. You can locate the SelfService.csr file in <Installation_directory>\webapps\adssp\certificates folder and the SelfService.keystore file in <Installation_directory>\jre\bin folder.
  3. Submit the SelfService.csr file to your Certification Authority (CA).
  4. Log in to Microsoft Certificate Services (https:\\server-name\certsrv).
  5. Click Request a Certificate → Advanced Certificate Request.
      6. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
      7. Paste the contents of your SelfService.csr file in the Saved Request field.
      8. It's always recommended to open the CSR file from its native location using a text editor rather than opening from the browser.
      9. When you copy the contents of SelfService.csr file, please ensure that no additional space from the end of the file is also copied along with it.
    10. Set the certificate template as Web Server and click Submit.
    11. In the Certificate Issued page that appears, select DER encoded. 
    1. Click Download certificate to download the certificate in CER file format.
    2. Click Download certificate chain to download the certificates in a P7B file format.
      12. Place the certificate files at <Installation_directory>\jre\bin.
Note: Convert your certificate from CER to P7B format. Follow the steps given here.

Step 4: Import the CA signed Internal certificates to the keystore

      1. Open an elevated command prompt and navigate to <Install Directory>\jre\bin.
      2. Back up the SelfService.keystore file.
      3. Execute the following command to import the internal certificate to keystore file :
                  Keytool -import -alias tomcat -trustcacerts -file certnew.p7b -keystore selfservice.keystore
      4. Execute the following command to add your internal CA's root file to the list of trusted CAs in the Java cacerts file:
            keytool -import -alias tomcat -keystore ..\lib\security\cacerts -file certnew.cer
Note: Use "changeit" as the password when you install the Chain Certificate.

Step 5: Bind the certificate with ADSelfService Plus

  1. Copy the SelfService.Keystore file to <Install Directory>\conf.
  2. Back up the server.xml and web.xml files.
  3. Edit the server.xml file (at <Install Directory>\conf) by replacing the values of the following SSL connector tags :
    1. "keystoreFile" with "./conf/SelfService.keystore".
    2. "keystorePass" with the password you entered while generating CSR.
Example: <Connector SSLEnabled="true" acceptcount="100" clientauth="false" connectiontimeout="20000" debug="0" disableuploadtimeout="true" enablelookups="false" keystorefile="./conf/selfservice.keystore" keystorepass="keystore_password" maxsparethreads="75" maxthreads="150" minsparethreads="25" name="SSL" port="9251" scheme="https" secure="true" sslprotocol="TLS" sslprotocols="TLSv1,TLSv1.1,TLSv1.2"> <connector>
      4. Restart ADSelfService Plus and check if the certificates are installed correctly.

                New to ADManager Plus?

                  New to ADSelfService Plus?

                    • Related Articles

                    • How to install P7B certificate in ADSelfService Plus?

                      Summary This article will guide you through the process of applying a single-domain certificate (CER, CRT, P7B, etc.) in ADSelfService Plus. Configuration steps Step 1: Enable HTTPS in ADSelfService Plus Log in to ADSelfService Plus with admin ...
                    • How to install existing PFX Certificate?

                      Summary This article will guide you through the process of applying a multi-domain or wildcard certificate (PFX) in ADSelfService Plus. Configuration steps Step 1: Enable HTTPS in ADSelfService Plus Log in to ADSelfService Plus with admin ...
                    • How to enable offline MFA in ADSelfService Plus

                      ManageEngine ADSelfService Plus supports offline multi-factor authentication (MFA) for Windows machine logins, User Account Control (UAC) prompt elevation, and Remote Desktop Protocol (RDP) server authentication when the product server is ...
                    • How to migrate the ADSelfService Plus installation from one machine to another

                      Description This article will guide you through the process for migrating the ADSelfService Plus installation from one machine to another. Important: Before you start the migration process, please update your ADSelfService Plus installation to the ...
                    • Bind ADSelfService Plus to run on a specific virtual IP address

                      Description You can configure ADSelfService Plus to run on specific IP address. Resolution Step 1: Create a virtual IP Address on the machine where ADSelfService Plus is running. Start → Settings → Control Panel → Open Network connection. Right click ...