We do not recommend using a self-signed certificate because browsers will not accept it as being from a trusted certificate authority.  Thus, users who access service desk using https (SSL) will see a warning in their browser saying "The security certificate presented by this website was not issued by a trusted certificate authority.", and the user will have to click on "continue to this website (not recommended)" in order to actually get to the site. This document provides the steps to do

Please also consider this KBA 1648573 from SAP

1648573 - How to configure SSL on Tomcat in BI 4 1648573_E_20170817.pdf

Implement The SSL in Tomcat for BOXI using a Self-Signed Certificate

Windows 2008R2 & windows 2012Boxi 4.1

1/ created the .pfx file in the same way as this tecdoc TEC1659789

The steps consist of

<<

1. Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.

2. Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.

3. In the Actions column on the right, click on Create Self-Signed Certificate...

4. Enter any friendly name such as "sdmsslcert" or "sdmcert" and then click OK.

5. You will now have an IIS Self Signed Certificate valid for 1 year listed under Server Certificates. The certificate common name (Issued To) is the server name. Now we just need to bind the Self signed certificate to the IIS site.

Next you have to export that certificate to a .pfx file.  To do this, follow these steps:

1. Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.

2. Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.

3. Right click on the certificate that you created (sdmsslcert or sdmcert), and select "Export"

4. In the "Export to" field - click the elipsis and select a directory to store your certificate, and a filename such as "sdmsslcert" or "sdmcert" (it will have a .pfx file extension), then create a password for that certificate (you will need this password later to configure tomcat to access that certificate)

5. Click OK on the Export Certificate window, then use windows explorer to navigate to the directory where you specified to save the .pfx cert file and ensure its there.
>>

2/ Once the .pfx file generated, identify bthe server.xml in boxi we have to update

<Please see attached file for image>

<Please see attached file for image>

Modify the server.xml

<Please see attached file for image>

<Connector SSLEnabled="true"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA"
clientAuth="false" keystoreFile="C:\keystore\sdmcert.pfx"
keystorePass="Password1" keystoreType="PKCS12"
maxThreads="150" port="8493" protocol="HTTP/1.1" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS"/>

<Please see attached file for image>

Restart Tomcat_boxi and verify boxi is in SSL mode

<Please see attached file for image>

We have customer for testing purpose running ServiceDesk and Boxi on the same server.

1/ Apply tecdoc tec1659789 for "Enable SSL in Tomcat for CA Service Desk Manager using a Self-Signed Certificate"

TEC1659789

2/ Apply this tecdoc using the same .pfx file for boxi too