How to install your own SSL certificate in GEM?


Article ID: 167947


Updated On:




Procedure to import SSL certificate with private key in the GEM web server.Greenlight Element Manager (GEM) is a web application that is accessible through a secure HTTPS connection. GEM web server comes with a pre-installed self-signed SSL certificate. If you access GEM, your browser will report that this certificate is not trusted.


To avoid the warning, you can replace the default GEM certificate with your own certificate signed by a certification authority trusted in your environment.


1. Export your certificate together with private key in PKCS12 format and copy the file to the chassis. This export file must be protected by a password. The export password is the private key password.   

2. Stop GEM web server on the chassis:

CBS# configure no web-server 

3. Make a backup copy of the original keystore on XOS: 

CBS# unix su 
$ mv /etc/tomcat5/keystore /etc/tomcat5/keystore.orig

4. Create a new keystore file by importing your PKCS12 file copied to chassis in the first step: 

$ keytool -importkeystore -srcstoretype PKCS12 -srckeystore <pkcs12-file> -destkeystore /etc/tomcat5/keystore  

The keytool command will not work if the PKCS12 file was created without password.

The destination keystore password must be the same as the private key password. The expected default password for the keystore is "changeit". If you use another private key password, use the same password for the keystore and change accordingly the keypass option in the file server.xml (located in the directory /etc/tomcat5): 

... keypass="changeit" ... 

5. Set unix file permissions of the new keystore file:

$ chown tomcat:cbcli /etc/tomcat5/keystore
$ chmod 750 /etc/tomcat5/keystore

6. Start GEM web server:

CBS# configure web-server 

Now you can test SSL access to GEM and verify if no errors appear in the log file /var/log/tomcat5/catalina.out.