Creating Certificates for JCP with Keystore Explorer for AWA v21
search cancel

Creating Certificates for JCP with Keystore Explorer for AWA v21


Article ID: 235797


Updated On:


CA Automic Workload Automation - Automation Engine CA Automic One Automation CA Automic Operations Manager


How to create a new keystore for Automic on the Windows server using Keystore Explorer? 


Release : 12.x and 21.x



The different steps necessary for creating the keystore / certificate requests and importing certs are easier to understand in GUI tool like Keystore Explorer.


See below an example of the steps to perform all these steps with Keystore Explorer.

When downloading the Keystore Explorer product for Windows, please make sure to select the installer that does not have the embedded Java:

This is due to the version of the embedded Java not being compatible with Automic Automation.

  1. Create a new Keystore with Format PKCS #12
  2. Click-right – Generate Key Pair – leave by default Algorithm set to RSA – Key size 2048

  1. Leave the rest of parameters by default, increase the validity if you are signing with an Internal CA or public CA , else it will be valid for 1 year.

  1. Add as Subject the CN being the hostname of your server as below:
  2. Click in Add Extensions and then in Use Standard Template and select SSL Server as below:
  3. Then double-click in Subject Alternative Names to edit it and add ALL the other AE Servers that you would require for your AE Server (1,2,4 depending on your configuration) and add the FQDN (fully qualified domain name) of all the servers and DNS Alias that you may use to access it as below


  1. Then click OK and set as Alias jetty to match what JCP is expecting by default, and assign a password (changeit is the default password JCP is using)

  2. Now we are ready to Generate a CSR ( certificate sign request), click right on this alias and click on Generate CSR

  1. Now, depending on the Internal or Public CA Certificate tool, please contact your security team to sign this csr and export the certificate in a supported format including the whole trust chain and immediate CA root certificate necessary. 
  1. Import the jetty.crt (or the certificate reply from your CA tool) doing right click on your key pair – Import CA Reply

  1. In case there is an Intermediate or Root certificate necessary to validate this certificate, import it as well with right click – Import Trusted Certificate (in my case, it’s the automicCA.crt)
  2. Now you have all that you need in your keystore so that JCP can start pointing to your correct keystore created with Keystore Explorer, see here what ucsrv.ini would look like in my case with the default password and alias being jetty, once done, start JCP.
; keystorePassword: Password of the keystore File
; keyPassword: Password for the Keys protection
; keyAlias: The name which the key is identified with.


  1. Import the CA Root certificate into the cacerts of the Java being used by AWI/TLS Gateway (Import the self signed in case of self-signed certificates).  Place this certificate into the trustedCertFolder as below.  Keystore Explorer – Examine – Examine SSL and put the JCP hostname and port 8443 as below


After clicking on OK, pick the one above (the CA Root) and click on Import to add it into cacerts

  1. Connect AWI with your JCP in SSL.

Additional Information

It is recommended to have the  ucsrv.ini hostname parameter set to the FQDN of the server. Ensure the same is part of the certificate generated.

For example: