Follow these steps:

1) Stop the Administrative UI service.

2) Open a command window and navigate to the following directory:

Windows: <AdminUI_Install_Dir>\standalone\configuration
UNIX: <AdminUI_Install_Dir>/standalone/configuration

3) Run one of the following commands to backup the existing keystore file (keyStore.jks) to a secure location:

Windows: copy keyStore.jks keyStore.jks.backup
UNIX: cp keyStore.jks keyStore.jks.backup

4) Open the keytool that is installed by default.

Default paths of the keytool:

<AdminUI_Install_Dir>\adminui\install_config_info\install_config_jre\bin

JAVA_home\jre\bin
JAVA_home\bin

5) Run the following command to list the current entries in the Administrative UI keystore:

keytool -list -keystore keyStore.jks -storepass changeit -v 

NOTE: "changeit" is the default keystore password. If you have changed the password during Administrative UI installation on Windows or UNIX, use that password instead of "changeit."

6) To replace the Administrative UI server self-signed certificate with a certificate that is signed by a trusted Certificate Authority (CA), perform the following steps:

a) Run the following command to delete the current self-signed certificate and key pair from the keystore:

keytool -delete -alias tomcat -keystore keyStore.jks -storepass changeit -v

"tomcat" is the alias for the default self-signed certificate and keypair.

b) Take a backup of the standalone-full.xml file that is located at siteminder_installation_path\adminui\standalone\configuration.

c) Open the standalone-full.xml file in a text editor and change

keystore alias="tomcat" to keystore alias="jboss_key".

d) Create a private key with the name jboss_key:

keytool -genkey -alias jboss_key -keyalg RSA -keystore keyStore.jks -storepass changeit -v

e) Run the following command to generate a PKCS#10 Certificate Signing Request (CSR) file:

keytool -certreq -alias jboss_key -sigalg SHA256withRSA -file adminui_certreq.p10 -keystore keyStore.jks -storepass changeit -v 

A CSR file named adminui_certreq.p10 is generated.

f) Submit the adminui_certreq.p10 file to a trusted Certificate Authority (CA) for signing.

g) Copy the adminui_cert.p7b to siteminder_installation_path\adminui\standalone\configuration or provide full path to the adminui_cert.p7b in the command by indicating spaces in the path using double quotes.

h) When you receive the signed certificate from the CA, run the following command to import it:

keytool -importcert -alias jboss_key -file adminui_cert.p7b -keystore keyStore.jks -storepass changeit -v

Notes:

• adminui_cert.p7b is the signed certificate request from the CA in PKCS#7 format. PKCS#7 format contains the server certificates, intermediate certificate (if any), and root certificates.
• If only a server certificate is provided, then you might also need to import the intermediate and root certificate.
• This command overwrites the previously created self-signed certificate with the certificate that is provided by the CA.

Type yes at the following prompt:

... is not trusted. Install reply anyway? [no]: 

To replace the Administrative UI server self-signed certificate with a custom self-signed certificate, perform the following step:

a) Run the following command to delete the current self-signed certificate and key pair from the keystore:

keytool -delete -alias tomcat -keystore keyStore.jks -storepass changeit -v

"tomcat" is the alias for the default self-signed certificate and keypair.

b) Take a backup of the standalone-full.xml file that is located at siteminder_installation_path\adminui\standalone\configuration.

c) Open the standalone-full.xml file in a text editor and change keystore alias="tomcat" to keystore alias="jboss_key".

d) Run the following command to generate a key pair (public and private keys) and a self-signed certificate and store in the Administrative UI keystore"

keytool -genkeypair -alias jboss_key -keyalg RSA -keysize 1024 -sigalg SHA256withRSA -dname "CN=AdminUI_FQDN" -keypass changeit -validity 7300 -keystore keyStore.jks -storepass changeit -v

Notes:

• The new self-signed certificate is named jboss_key.
• AdminUI_FQDN is the fully qualified domain name of the Administrative UI server.
• The -keypass and -storepass values (both "changeit" here) must be the same as the keystore password. "changeit" is the default keystore password. If you have changed the password during Administrative UI installation on Windows or UNIX, use that password instead of "changeit" in both cases.

A key pair and a self-signed certificate are generated and stored in the keystore.

7) Start the Administrative UI service and verify that the new trusted certificate is in effect. If the trusted certificate is not in effect, look in AdminUI_Install_Directory/standalone/log/server.log for possible errors.


------ Document reference:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/installing/install-the-administrative-ui/optional-obtain-and-import-a-trusted-certificate-into-the-administrative-ui.html