How do I install a new SSL certificate on the IntelligenceCenter server?
search cancel

How do I install a new SSL certificate on the IntelligenceCenter server?


Article ID: 166141


Updated On:




IntelligenceCenter ships with a default keystore that contains a self-signed certificate. This keystore - named server.keystore - is located in the \jboss-4.0.3\server\management_application\conf directory in the IC installation location (C:\Packeteer\IntelligenceCenter by default). However, in order to fully support the SSL protocol, you must purchase a certificate from a trusted third-party Certificate Authority (CA) and install it on the IC server. You can either replace the keys contained in the existing keystore or you can replace the existing keystore with a new one. Note that if you replace the keystore, the new keystore you create must also be named server.keystore in order for it to work with IC.

There are many different ways to generate and install keys and certificates. The following procedure describes one way to do it. The examples in this procedure assume that you installed IC in the default location. If you installed IC in a different location, adjust the commands accordingly. Additionally, the default server.keystore uses the password management_application. If you do not want to use this password, you can replace it with a different one in the commands.


To replace the default keystore:

  1. Go to the website of the CA from which you are purchasing your certificate. Locate the CA root certificate and copy and paste it into a file.
  2. To create a new keystore and store the root certificate file you just saved, go to the Windows command prompt and enter the following command (replacing root_certificate_filename with the actual name of the certificate file):

    C:\Packeteer\IntelligenceCenter\jre\bin\keytool -import -alias rootcert
    -storepass management_application -keystore server.keystore -keypass management_application -file <root_certificate_filename>
  3. Generate your public/private key pair. When generating your key pair, you must provide parameters that create the distinguished name (DN) of the IC server. These parameters include the URL of the IC server, the department name where it is located and the name and location of the organization to which it belongs. To create the key pair, enter the following command (replacing the variables with your own values):

    C:\Packeteer\IntelligenceCenter\jre\bin\keytool -genkey -alias serverkeys -keyalg RSA -keystore server.keystore -storepass management_application -keypass management_application -dname”CN=, OU=, O=, L=, ST=, C=”

    For example, to create a key pair for an IC server with IP address in the IT department of Acme corporation located in Cupertino, California, you would enter the following command:

    C:\Packeteer\IntelligenceCenter\jre\bin\keytool -genkey -alias serverkeys -keyalg RSA -keystore server.keystore -storepass management_application -keypass management_application -dname”CN=, OU=IT_Department, O=Acme Corporation, L=Cupertino, ST=CA, C=US”
  4. Create the certificate signing request (CSR). This is the file that you will submit to the CA in order to purchase your certificate. To create a CSR named request.csr, enter the following command:

    C:\Packeteer\IntelligenceCenter\jre\bin\keytool -certreq -alias serverkeys -file request.csr -keystore server.keystore -storepass management_application
  5. Submit the .csr file you just created to the CA. The procedure for submitting the CSR depends on which CA you are using. After the CA processes the CSR, the organization will usually email your certificate to you. The certificate will look something like this:

    -----END CERTIFICATE-----
  6. Copy the certificate text into a file and save it with the extension .pem.
  7. Convert the PEM file — named ICcert.pem in this example — to the DER format required format required for Java implementations using an SSL conversion tool. For example, using the openSSL utility you would enter the following command:
    C:\openssl\bin\openssl x509 -in C:\ICcert.pem -out C:\ICcert.der -outform DER
  8. Import the certificate into your keystore using the following command:
    C:\BlueCoat\IntelligenceCenter\jre\bin\keytool -import -alias serverkeys -file
    ICcert.der -keypass management_application -keystore server.keystore -storepass
  9. Replace the default server.keystore with your new server.keystore by copying the file to the following
    C:\BlueCoat\IntelligenceCenter\apache-tomcat-6.0.18\webapps\ROOT\conf \server.keystore