Using private Signed SSL certificates with WCC / WebUI
search cancel

Using private Signed SSL certificates with WCC / WebUI


Article ID: 39758


Updated On:


CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) Workload Automation Agent


This document describes how to use private (internally signed) certificates with WCC.

Commercial Certificate Authorities (CA) like Verisign and Comodo no longer issue signed certificates for internal networks. Therefore a prerequisite to using this procedure is to have an internal CA setup. Clients (e.g. web browsers) should have the root and any intermediate certificates imported into their certificate store.



CA Workload Control Center # ALL Supported Version 


This scenario walks you through the process of requesting and using a privately signed certificate from a trusted certificate authority.

1. Login to the WCC host as the WCC software owner (e.g. wcc)

2. Set the Java environment

    On UNIX:
    PATH=$JAVA_HOME/bin:$PATH; export PATH
    On Windows:
    set PATH=%JAVA_HOME%\bin;%PATH%

3. Change directory to the keystore location
    On UNIX:
    cd $CA_WCC_INSTALL_LOCATION/data/config

    On Windows:
    cd %CA_WCC_INSTALL_LOCATION%\data\config

4. Copy the existing .keystore file to a backup location.
    On UNIX:
    cp .keystore /var/tmp/

    On Windows:
    copy .keystore %TEMP%

5. Delete the existing key in the keystore

    keytool -delete -alias tomcat -keystore .keystore -storepass changeit

6. Create a new key:
    keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit -keypass changeit -keysize 2048 -dname "cn=<hostname>" -ext san=dns:cn=<hostname> -validity <days>
    <hostname> the WCC hostname
    <days> expiration period of the certificate in days (e.g. 5475 = 15 years)


NOTE: the dname here should have your Fully Qualified URL that your users would be using WCC URL with. example:  -ext san=dns:<CNAME>      for CNAME in DNS, you can add multiple CNAME values

Example (the double quotes around SAN are needed): 

keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit -keypass changeit -keysize 2048 -dname ",O=Your Company Inc,L=San Jose,S=California,C=US" -ext ",," -validity 365


7. Create the certificate signing request (CSR)
    keytool -certreq -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit -file wcc.cert.req.csr -ext san=dns:cn=<hostname>

NOTE:  During the generation of the CSR above, some certificate admins require you to provide additional stuff like  Subject Alternate names  example:    -ext san=dns:<CNAME>   for CNAME in DNS



  keytool -certreq -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit -file wcc.cert.req.csr -ext ",,"

8. Have the certificate request signed by your internal CA

    The internal CA will need to return the following in PEM format:
    a. root certificate
    b. any/all intermediate certificate(s)
    c. the private (signed) certificate generated from the CSR




9. Import the root certificate. Enter ‘yes’ to trust the certificate.

    keytool -importcert -alias RootCA -file <ca.cert.pem> -keystore .keystore -storepass changeit
    <ca.cert.pem> is the root certificate received from the internal CA.
10. (Optional) Import any/all intermediate certificate(s)
    keytool -importcert -alias IntermediateCA -file <intermediate.cert.pem> -keystore .keystore -storepass changeit

    <intermediate.cert.pem> is the intermediate key received from the internal CA.
11. Import the private (signed) certificate

    keytool -importcert -trustcacerts -file <wcc.cert.pem> -alias tomcat -keystore .keystore -storepass changeit

    <wcc.cert.pem> is the Private Key received from the internal CA.
12. Restart WCC services

    On UNIX:
    unisrvcntr restart CA-wcc-services
    On Windows:
    Restart the CA-wcc-services service from Microsoft Windows Services Console.

IMPORTANT: Ensure that the root certificate and any intermediate certificates are imported into client (e.g. web browsers) certificate stores.   


Additional Information