Enable SSL with keysize 2048 .pfx certificate in Catalog (alt method)
search cancel

Enable SSL with keysize 2048 .pfx certificate in Catalog (alt method)


Article ID: 17215


Updated On:


CA Service Catalog


With the availability of Service Management r17.1+, the way SSL certificate are imported and configured on Service Catalog changed, compared to how it was configured on r14.1.

How to enable SSL on Service Catalog r17.1+ using .pfx certificate (alternative option)?


CA Service Management 17.1 and higher


1.- Generate self-singed certificate using java key tool:

a. Open command prompt
b. Go to location where we have keytool.exe 
c. Run the below command:

keytool -genkey -keyalg RSA -alias tomcat -keystore selfsigned.jks -validity <days> -keysize 2048

Note:  The above command utilises a key size of 2048 when earlier documentation applies keysize of 1024

d. Where <days> indicate the number of days for which the certificate will be valid.
e. Enter a password for the keystore. Note this password as you require this for configuring the server.
f. When prompted for first name and last name, enter the domain name of the server
example: cat-nightly-3-2
g. Enter the other details, such as Organizational Unit, Organization, City, State, and Country.
h. Confirm that the information entered is correct.
i. When prompted with Enter key password for <tomcat>, press Enter to use the same password as the keystore password.
j. Run the below command to verify the contents of the keystore:

keytool -list -v -keystore selfsigned.jks

2.- Since the above is a self-singed certificate, we need to add any other additional CA certificate to it:

a. Open internet explorer->options->content->certificates->select the certificate you use for this server & export it into the same location where we have self-singed keystore
b. Import that to keystore with the below command:
keytool -import -noprompt -alias <alias_name> -file verison.cer -keystore selfsigned.jks -storepass <password>

NOTE: This needs first to import the .PFX certificate into Service Catalog machine (double click in .pfx file) and then export it using IE.

3.- Configure your SSL connector:

a. In server.xml file change the values of KeystoreFile, keyAlias, keystorePass accordingly.
b. Add below two commands to the Viewservice.conf:



wrapper.java.additional.10=-Djavax.net.ssl.trustStore="C:\Program Files\CA\Service Catalog\selfsigned.jks"

4. Import PFX certificate into JKS file previously created:

a. Backup original .jks file, import the .pfx (example: ca_certificate.pfx) on this .jks, which was set on variable "-Djavax.net.ssl.trustStore=".
b. Command to import it:

keytool -v -importkeystore -srckeystore ca_certificate.pfx -srcstoretype PKCS12 -destkeystore selfsigned.jks -deststoretype JKS

NOTE: "ca_certificate.pfx" is the CA provided certificate and "selfsigned.jks" is the one created in the previous steps.

5. Configure the new value into server.xml as well.

Save the changes, restart Service Catalog service and test HTTPS URL using desired port.