Apply Certificate for Office365 MailBoxes which is using OAuth for Authorization
User can configure O365 in both incoming & outgoing settings in SDP. To Connect mail server from SDP, its certificates should be available in SDP's Keystore.
This document is for users who have applied internal CA Certificate for O365 OAuth Authorisation URL (For Example : https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize To check this, refer the screenshots below. If the root certificate name for Authorisation url is different from "DigiCert Global Root CA" then internal CA certificate is applied and this document applies to such environments. Without importing the certificate, SSL Inspection Enabled Environments will fail to complete the process.
Check the root certificate:
1. Open the Authorization URL in a new tab in a browser.
2. Click on the Lock Symbol in the URL Title Bar.
3. Navigate through the dropdown. To view certificate details refer the below screenshots.
4. Check for the Root certificate Name. If it is different from "DigiCert Global Root CA", then this article applies to you.
(Chrome browsers - Top most is the Root certificate)
(Firefox browsers - Right most is the root certificate)
Procedure to Apply the Certificate :
There are two methods to apply the certificate.
Method 1:
Note: This method will not work if Proxy configurations is required to connect to Authorization URL from the application server (Please follow "Method 2" if it is the case).
1. Login to the Application Server and navigate to "ServiceDesk" folder (Installation directory).
2. Download the certificate generation zip file from here - https://help.servicedeskplus.com/configurations/general/generate-self-signed-certificate.html There are separate links for Linux and Windows.
3. Unzip and copy the "gencert.sh(.bat)" to "ServiceDesk" folder. Copy the "lib/cert.jar" to "ServiceDesk/lib/" folder.
4. Open command prompt and navigate to "ServiceDesk" folder.
5. Execute the command
./gencert.bat login.microsoftonline.com:443 (for windows)
sh gencert.sh login.microsoftonline.com:443 (for linux)
6. Once connected to the microsoft url, certificates will be listed as shown below:
7. Enter the number of the last certificate (Last one is the root certificate). It is "2" in the above image. After entering the number, press "Enter".
8. Now the root certificate will be downloaded and updated in the "jssecacerts" file in "ServiceDesk" folder.
9. Copy the file "jssecacerts" to "ServiceDesk/jre/lib/security" folder and restart the application service once.
10. The internal CA certificate for Authorization URL is loaded in the keystore. Try configuring Oauth now.
Method 2:
- Open the Authorization url (For Example : https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize) in a new tab in a browser.
- Export the Certificate from the Browser.
Follow the below steps to export the certificate in Google Chrome.
- Click on the Lock Symbol in the URL Title Bar.
- Navigate through the dropdown, to view certificate refer the below screenshots.
- In the Certificate Window, Select "Root" Certificate which is first at the Certificate Hierarchy.
- Click on "Export Certificate" to Dowload the selected certificate.
Follow the Below Steps to Export the certificate in Mozilla FireFox.
- Click on the pad lock symbol >> Click on connection >> More Information >> Security >> View Certificate
- In the Certificate window, Select the right most tab, scroll down to Miscellaneous Area and download "PEM (cert)" should be downloaded.
3. Copy the Certificate to the folder <server_home>\jre\lib\security\.
4.Go to <server_home>\jre\bin folder in the command prompt / terminal app. Execute the below command
If you do not have "jssecacerts" file in the <server_home>\jre\lib\security folder, then copy cacerts file to the same folder and rename it to "jssecacerts".
- keytool -import -alias outlook.com-1 -keystore ..\lib\security\jssecacerts -file <full_path_to_the_downloaded_certificate>
5. If "outlook.com-1" alias is already present, change the alias name to "outlook.com-2" and so on.
6. Provide password as "changeit" when prompted.
7. If the certificate is valid, it will prompt "do you trust this certificate?". Type 'yes' and press enter.
8. Certificate will be added to the keystore.
9. Restart the application service once and check whether you could able to connect to the Mail Server.
If the problem doesn't resolves, even after following the above steps,Execute the command,
keytool -list -v -keystore ../lib/security/jssecacerts > cert.txt
This will generate a text file named cert.txt. Collect this text file and certificate chain exported while accessing authorization url & token url in Server Machine browser browser. recreate the issue by enabling email debug and get the Logs.
New to ADSelfService Plus?
Related Articles
#9113995 - Debug
Issue: IMAP with TLS is working for the customer. However, it is not possible to configure IMAP with TLS in SDP app. Debug: Debug jar has been prepared to check which configuration works for the customer. Also, debug prints will be printed in the ...DataBackup settings in the Analytics Plus is unresponsive upon clicking
Issue: Problem while restoring. Cause: The"Data Backup" setting page will not be responsive when we select folder (backup directory) other than the AnalyticsPlus installation folder during the backup. This is a code-level issue. Error trace: ...