Add a signed certificate to CA Workload Automation DE Web Client (Web UI). Using SSL connection is highly recommended when accessing the DE Web Client.
How to add a CA (Certificate Authority) signed certificate to CA WA DE Web Client?
The DE Web Client is Apache-Tomcat application. You will use the keytool utility to create keystore and then generate a certificate.
Create a keystore
Answer all the questions that follow the keytool command. You will be prompted to enter keystore password. Be sure to remember or make a note of it. If you forget the password, you will not be able to access the keystore.
./keytool -genkey -alias alias_name -keyalg RSA -keystore your_keystore -keysize 2048
Note: Change the alias_name to your hostname or something unique. Aliases within the keystore must be unique. The keystore can be located anywhere as long as it is accessible. It is recommended to put the keystore in Web Client install directory.
keytool -genkey -alias alias_name -keyalg RSA -keystore /opt/CA/WebUI/keystore -keysize 2048
keytool -genkey -alias alias_name -keyalg RSA -keystore C:\CA\Web_Client/keystore -keysize 2048
Next generate the Customer Signing Request (CSR).
keytool -certreq -alias alias_name -file request.csr -keystore your_keystore
This will generate the CSR. Submit the CSR to CA (Certificate Authority) for signing. The CA will sign the certificate and may provide root, intermediate and public certificate. They may also provide instructions on how to import them. From your CA, download the PEM encoded certificate with chain.
keytool -import -trustcacerts -alias root -file ca_root.crt -keystore your_keystore
keytool -import -trustcacerts -alias intermediate -file ca_Intermediate.crt -keystore your_keystore
keytool -import -trustcacerts -alias alias_name -file domain.com.crt -keystore your_keystore
Note: The alias_name in above command must be the same from "keytool -certreq command.
Add the CA Signed certificate to Apache-Tomcat (Web UI). Navigate to install directory and then to apache-tomcat/conf
Edit the file “server.xml”, and find this code:
<Connector port="8443" protocol="HTTP/1.1"
Under the connector port section, look for:
Change the keyAlias name to what was used when generating the certificate. The alias name must match. The path to keystore file must be correct. Provide the same password that was used when the keystore was created. Usual default password is 'changeit'.
Save the ‘server.xml’, and then restart the DE Web UI. In your browser visit
If successful, the browser address bar will display a safety lock sign.