Create SSL certificate for Web UI
search cancel

Create SSL certificate for Web UI


Article ID: 15487


Updated On:


DSERIES- SERVER CA Workload Automation DE - System Agent (dSeries)


Add a signed certificate to CA Workload Automation DE Web Client (Web UI).  Using SSL connection is highly recommended when accessing the DE Web Client.

How to add a CA (Certificate Authority) signed certificate to CA WA DE Web Client?


CA Workload Automation DE R12 SP2 or above CA Workload Automation DE Web Client R12 or above


The DE Web Client is Apache-Tomcat application.  You will use the keytool utility to create keystore and then generate a certificate.  

Create a keystore

Answer all the questions that follow the keytool command.  You will be prompted to enter keystore password.  Be sure to remember or make a note of it.  If you forget the password, you will not be able to access the keystore.

cd <de_web_ui_dir>/jre/bin
./keytool -genkey -alias alias_name -keyalg RSA -keystore your_keystore -keysize 2048

Note: Change the alias_name to your hostname or something unique.  Aliases within the keystore must be unique.  The keystore can be located anywhere as long as it is accessible.  It is recommended to put the keystore in Web Client install directory.  


keytool -genkey -alias alias_name -keyalg RSA -keystore /opt/CA/WebUI/keystore -keysize 2048

keytool -genkey -alias alias_name -keyalg RSA -keystore C:\CA\Web_Client/keystore -keysize 2048


Next generate the Customer Signing Request (CSR).

keytool -certreq -alias alias_name -file request.csr  -keystore your_keystore

This will generate the CSR.  Submit the CSR to CA (Certificate Authority) for signing.  The CA will sign the certificate and may provide root, intermediate and public certificate.  They may also provide instructions on how to import them.  From your CA, download the PEM encoded certificate with chain.


keytool -import -trustcacerts -alias root -file ca_root.crt -keystore your_keystore
keytool -import -trustcacerts -alias intermediate -file ca_Intermediate.crt -keystore your_keystore
keytool -import -trustcacerts -alias alias_name -file -keystore your_keystore

Note:  The alias_name in above command must be the same from "keytool -certreq command.


Add the CA Signed certificate to Apache-Tomcat (Web UI).  Navigate to install directory and then to apache-tomcat/conf

cd <DE_WebUI_dir>/apache-tomcat/conf


Edit the file “server.xml”,  and find this code:

<Connector port="8443" protocol="HTTP/1.1"

Under the connector port section, look for:





Change the keyAlias name to what was used when generating the certificate.  The alias name must match.  The path to keystore file must be correct.  Provide the same password that was used when the keystore was created.  Usual default password is 'changeit'.

Save the ‘server.xml’, and then restart the DE Web UI.  In your browser visit


If successful, the browser address bar will display a safety lock sign.