SSL Installation

SSL Installation

Do you have a Wildcard or a Multi-domain certificate already running in your other servers and want to reinstall in on ServiceDesk Plus server ?, then click here to find how to export SSL certificate using MMC. 


Do you already have a .PFX certificate handy?, then click here for install instructions.  




This article is for installing SSL certificate in ServiceDesk Plus by creating a Keystore using bundled Java Keytool.



ServiceDesk Plus can run as a HTTPS service. But it requires a SSL (Secure Socket Layer) Certificate signed by a valid Certificate Authority (CA).
By default, on first time startup, it creates a self-signed certificate. This self-signed certificate will not be trusted by the user browsers. Thus, while connecting to ServiceDesk Plus, you need to manually verify the certificate information and the hostname of ServiceDesk Plus server carefully and should force the browser to accept the certificate. 
To make ServiceDesk Plus server identify itself correctly to the web browser and the user, you need to obtain a new signed certificate from a CA for the ServiceDesk Plus host.







You can use keytool (bundled with Java) to create your certificates, get them signed by a CA and use them with ServiceDesk Plus. 

The steps involved in configuring ServiceDesk Plus to use the SSL are as given below.








Step 1: Create a Keystore file
Step 2: Create .CSR (Certificate Signing Request) file
Step 3: Install your SSL Certificate
Step 4: Configuring the server 







NOTE: In all the images, replace the highlighted text with the alias name you want to use for the ServiceDesk Plus





Step 1: Create a Keystore file



Before requesting for a certificate from a CA, you need to create tomcat specific ".keystore" file and ".csr" file. 
The .keystore file and .csr file will include information provided by the individual who creates the .keystore and .csr files. 
To create the .keystore file follow the below steps,
Open the Command Prompt From the location [SDP-Home] \ jre \ bin execute the command





If your vendor requires a CSR of size 2048 please use the command given below.


  1. keytool -genkey -alias <your_alias_name> or [Domain Name] -keyalg RSA -keysize 2048 -keystore sdp.keystore 










  1. You will then be prompted to choose a password for your keystore.
    NOTE: Please note that the Password should not contain $ symbol.
  2. When it asks for first and last name, this is NOT your first and last name, but rather it is your Fully Qualified Domain Name for the site you are securing.  








  1. If you are ordering a Wildcard Certificate this must begin with the * character.






  1. On entering the required information, confirm that the information is correct by entering 'y' or 'yes' when prompted. (img5.jpg)
  2. At the end of executing the above command, you will be prompted to enter keystore password. Try giving the password same as your key password. Make sure to remember the password you choose.









  1. Your keystore file named sdp.keystore is now created in your current working directory.

NOTE: We request you to make a backup copy of the sdp.keystore file before installing the Certs. This backed up keystore can be used if the certificate installation goes wrong or when you renew your certificates the next year.







Step 2: Creating .CSR (Certificate Signing Request) file



The .CSR (Certificate Signing Request) file is temporary and should be submitted to a CA to receive CA-Signed Certificate files. 
Please follow the steps given below to create the CSR file.
  1. Open the Command Prompt
  2. From the location <installation directory> \ jre \ bin execute the below command.


  3. keytool -certreq -alias <your_alias_name> -file key.csr -keystore sdp.keystore 


  4. In the above command <your_alias_name> is the alias name provided when creating the keystore, key.csr is the name of the CSR file that will be created after the command is executed.









Step 3: Install your SSL Certificate




Download the Certificate files received from the CA via e-mail to the directory where your keystore (sdp.keystore) was saved during the CSR creation process. The certificates must be installed to this exact keystore. If you try to install it to a different keystore it will not work. 
The certificates you had downloaded must be installed to your keystore in the correct order for your certificate to be trusted. If the certificates are not installed in the correct order, then the certificate will not authenticate properly. To find the correct order, double click on the domain certificate and then go to 'Certification Path'.  







These certificates are usually in the format .cer or .crt. If your certificate is with the extension .p7b please follow the instructions given in Installing a .P7b Certificate to export the certs to a .cer or .crt format.
Looking at the above certification path we can infer that we need to import two other certificates before the domain certificate. First is the Root, next the Intermediate and finally the Domain Certificate. Some CAs may also use another certificate called Cross Intermediate. These certificates can be downloaded from the Vendor's website.

Installing the Root Certificate file 
Each time you install a certificate to your keystore you will be prompted for the keystore password, which you chose while generating your CSR. Type the following command to install the Root certificate file: 



keytool -import -trustcacerts -alias root -file <File_Name>.crt -keystore sdp.keystore 




NOTE: Choose 'Yes' if you get prompted with a message that says "Certificate already exists in system-wide CA keystore under alias <Alias Name> Do you still want to add it to your own keystore? [no]:" 


You will get a confirmation stating that the "Certificate was added to keystore". 









Install the Intermediate Certificates and Cross Intermediate Certificates (if any). 


Follow the instructions provided by the CA. 


keytool -import -trustcacerts –alias intermediate -file <File_Name>.crt -keystore sdp.keystore 


keytool -import -trustcacerts –alias cross -file <File_Name>.crt -keystore sdp.keystore 



You will get a confirmation stating that the "Certificate was added to keystore".









Install the Primary or the Domain Certificate file 



Type the following command to install the Primary certificate file: 


keytool -import -trustcacerts -alias <your_alias_name or [Domain Name]> -file your_domain_name.crt -keystore sdp.keystore 


Please note that <your_alias_name or [Domain Name]> should be replaced with the alias name provided when creating the keystore (as discussed in Step 1). This time you will get a different confirmation stating that the "Certificate reply was installed in keystore"








If you want to trust the certificate, then choose y or yes. Your Certificates are now installed to your keystore file (sdp.keystore). 






Step 4: Configuring the Server


  1. Copy the sdp.keystore file from



For environments running version 9.4 and above can copy this file from directory  [SDP-Home]\jre\bin to [SDP-Home]\conf


For environments running version 9.3 and below can copy this file from directory [SDP-Home]\jre\bin to [SDP-Home]\server\default\conf





  1. From the command prompt, execute changeWebServerPort.bat script to change the connection mode to HTTPS. 



  1. Cmd> [SDP-Home]\bin> changeWebServerPort.bat <WEBSERVER_PORT> https










  1. Finally, update the name of the keystore and the password, you gave in Step 1, while generating sdp.keystore in the file server.xml present under




For environments running version 9.4 (Tomcat version 7) can find this file under directory

[SDP-Home]\conf




For environments running version 9.2 and 9.3 (Tomcat version 7) can find this file under directory

[SDP-Home]\server\default\deploy\jbossweb-tomcat70.sar




For environments running version 9.1 and below (Tomcat version 5) can find this file under directory

[SDP-Home]\server\default\deploy\jbossweb-tomcat50.sar 












Restart the service ManageEngine ServiceDesk Plus for the changes to take effect.

























                  New to ADSelfService Plus?

                    • Related Articles

                    • How do I install SSL certificate for ServiceDeskPlus-MSP?

                      Introduction ServiceDesk Plus - MSP can run as a HTTPS service. But it requires a SSL (Secure Socket Layer) Certificate signed by a valid Certificate Authority (CA). By default, on a first-time start-up, it creates a self-signed certificate. This ...
                    • How to install SSL certificate in AssetExplorer

                      SSL Installation Do you have a Wildcard or a Multi-domain certificate already running in your other servers and want to reinstall in on AssetExplorer server ?, then click here to find how to export SSL certificate using MMC.  Do you already have a ...
                    • How to install SSL certificate of .PFX format for 9.4 builds

                      Installing .PFX Certificate   .PFX is an extension for security certificate. It defines a file format that stores private keys (generated by your server at the time the CSR was generated) and public key certificate (your SSL Certificate provided by ...
                    • How to install .pfx certificate manually in ServiceDesk Plus MSP version 10.5 and above

                      The below steps are applicable for version 10.5 and above. For .pfx certificate installation in version 9427 and below, follow the steps here. NOTE: Please take a server snapshot before following the steps given below A PKCS12 (.pfx) certificate ...
                    • Step-by-step: SSL Installation

                      In ServiceDesk Plus, we use a keystore file to store the private key and this keystore file will be used by the web server to secure the connections. Below are the steps that needs to be followed to generate a keystore file and install the ...