Using a Third party SSL cert in Opmanager 12000 and 12200

Using a Third party SSL cert in Opmanager 12000 and 12200

1 - Open a command prompt (Run-> cmd) and change directory to %opmanager%\jre\bin

2 - Generate a Keystore file. Execute the following command and provide requested details to create OpManager.truststore file under %opmanager%\conf folder.
keytool.exe -v -genkey -keyalg RSA -keystore c:\ManageEngine\Opmanager\conf\OpManager.truststore -alias opmanager  -keysize 2048         
 
Enter keystore password:(Enter a password for this keystore. atleast 6 characters long. Press Enter)
What is your first and last name?
[Unknown]: (Enter the Server's name in which OpManager is running. It must be a FQDN [Fully Qualified Domain Name] Ex.: opmserver.manageengine.com. Press Enter.)
What is the name of your organizational unit?
[Unknown]: (Name of your Organization Unit. Ex: SYSADMIN. Press Enter.)
What is the name of your organization?
[Unknown]: (Your Organization Name. Ex:Zoho Corp. Press Enter.)
What is the name of your City or Locality?
[Unknown]: (Your city name. Ex:Pleasanton. Press Enter.)
What is the name of your State or Province?
[Unknown]: (Your state name. Ex:California. Press Enter.)
What is the two-letter country code for this unit?
[Unknown]: (Your country's two letter code. Ex:US. Press Enter.)
Is CN=opmserver.manageengine.com, OU=SYSADMIN, O=Zoho Corp, L=Pleasanton, ST=California, C=US correct?
[no]: (Check the details and if it is correct type yes and press enter. If else just press Enter to modify)
Generating 2048 bit RSA key pair and self-signed certificate (MD5WithRSA) for CN=opmserver.manageengine.com, OU=SYSADMIN, O=Zoho Corp, L=Pleasanton, ST=California, C=US
Enter key password for <opmanager>
(RETURN if same as keystore password): (Just press enter. For tomcat both keystore password and key [alias] password must be the same)
[Storing confOpManager.truststore]

OpManager.truststore file will be generated under \OpManager\conf folder.

3 - Generating CSR File (Certificate Signing Request). Execute the following commands to create opmssl.csr file under conf folder:
keytool.exe -v -certreq -file c:\ManageEngine\Opmanager\conf\opmssl.csr -keystore c:\ManageEngine\Opmanager\conf\OpManager.truststore -alias opmanager
    Enter keystore password: (Enter the password for the keystore file)
    Certification request stored in file <confopmssl.csr>
    Submit this to your CA

4 - Get certificates from CA (Certification Authority):
    Contact a CA like Verisign, Equifax, with the csr file generated in the previous step to get ssl certificate. Mostly you have to copy and paste the content of the csr file in a text area of their website. After verifying your request, mostly they will sent you the certificate content through mail. Copy and paste the content in a text editor and save it as "ServerCert.cer" under OpManager_Homeconf folder. Be cautious that while doing copy-paste, no extra space added at the end of lines.

5 - Import root and intermediate certificates:
    Before importing our certificate, we have to import the CA's root and intermediate certificates into the keystore file we generated at the second step. While mailing you the certificate, CA's will mention the link to their root and intermediate certificates. Save them under conf directory in the name "CARoot.cer" and "CAIntermediate.cer" respectively. Some CAs may have two or more intermediate certificates. Refer their document clearly before importing.

6 - To import root certificate:
keytool.exe -import -trustcacerts -file c:\ManageEngine\Opmanager\conf\CARoot.cer -keystore c:\ManageEngine\Opmanager\conf\OpManager.truststore -alias CARootCert
    Enter keystore password: (Enter the keystore password)
    (Root Certificate's information will be printed)
    Trust this certificate? [no]: (type yes and press enter if it is the certificate of your CA)
    Certificate was added to keystore

7 - To import intermediate certificate:
keytool.exe -import -trustcacerts -file c:\ManageEngine\Opmanager\conf\CAIntermediate.cer -keystore c:\ManageEngine\Opmanager\conf\OpManager.truststore -alias CAInterCert
    Enter keystore password: (Enter the keystore password)
    Certificate was added to keystore
    
8 - Import Server's Certificate. Execute the following command to add the certificate received from CA to the keystore file:
keytool.exe -import -trustcacerts -file c:\ManageEngine\Opmanager\conf\ServerCert.cer -keystore c:\ManageEngine\Opmanager\conf\OpManager.truststore
    Enter keystore password: (Enter the keystore password)
    Certificate reply was installed in keystore

9 - Now edit ssl_server.xml from \opmanager\server_xml_bkp\ folder, and set the values for below attributes.
Search the term "connector port" and replace the values for the attributes highlighted in red.
Connector port="WEBSERVER_PORT" address="SERVER_HOST"  keystoreFile="./conf/OpManager.truststore" keystorePass="provide the password you used to create the truststore in the steps above"
Save the file in the name server.xml and place it in \OpManager\conf\ folder

10 - Edit the OpManagerStartUp.properties file under \OpManager\conf\OpManager folder.  Set the value of the parameter "https" as "Enable" and save it.

11 - Start OpManager service and check.

                  New to ADSelfService Plus?