Managing SSL Certificates

Obtaining an SSL Certificate

The platform provides a default self-signed certificate which is used by the Application Server.

To obtain and install your own SSL Certificate, make a request to a Certificate Authority (CA). An SSL certificate authenticates a website to a web browser, part of a security protocol to manage secure data exchange.

The CA will accept your Certificate Signing Request and generate a certificate which identifies your website as a secured website.

To create a Certificate Signing Request (CSR)

1. Create a keystore and a private key:

cd {install-dir}/profiles/IS_default/configuration/tomcat/conf/RN

keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore {keystore_filename}

2. Create a CSR from the keystore

keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr 
        -keystore {keystore_filename}

3. Submit the resulting file, certreq.csr, to the CA to obtain a certificate.
(When the certificate arrives, you are ready for the next step of steps.)

To Install the Certificate Obtained from the CA

Once you have obtained a certificate, you need to import it into the keystore.

But first, in addition to your certificate, the CA might provide a Chain/Root Certificate, which must also be imported. If you have received a chain certificate from the CA, then:

1. Copy the contents of the chain certificate into a file called chain

2. Import the chain certificate into your keystore:

keytool -import -alias root -keystore {keystore_filename} 
        -trustcacerts -file chain

When the chain certificate (if any) has been imported, you are ready for the final step:

3. Import the certificate received from the CA:

keytool -import -alias tomcat -keystore {keystore_filename} 
        -trustcacerts -file {certificate_filename}

Note: If you have SSL certificate and private key, follow the below steps: 1. Convert the private key and certificate to PKCS#12 format using OpenSSL. Assuming you have the private key file in .key format (private.key) and the certificate file in .crt format (VMNX-AALIND22.crt), use the following command: openssl pkcs12 -export -inkey <private.key> -in <certificate.crt> -out <keystore.p12> -name <alias> The default alias is set to 1. 2. Replace <alias> with the desired alias for the key entry. 3. Import the PKCS#12 file into the Java keystore using the keytool command: keytool -importkeystore -srckeystore <keystore.p12> -srcstoretype PKCS12 -destkeystore <keystore.jks> -destalias <alias> 4. Replace <alias> with the alias used in the previous step. 5. Enter the appropriate passwords when prompted, including the source keystore password for the PKCS#12 file and the destination keystore password for the Java keystore. 6. Once you have successfully completed these steps, the certificate and private key should be imported into the Java keystore with the specified alias.

To update a Customer SSL Certificate in AgileApps

1. Stop the Application server.

2. Update keystoreFile and keystorePass values in “com.softwareag.catalina.connector.https.pid-agileappsHttps-8284.properties” file available under

{install-dir}/profiles/IS_default/configuration/com.softwareag.platform.config.propsloader folder.

Note: The keystorePass value provided by you in plain text is encrypted automatically when you restart the AgileApps application server.

3. After updating the properties, place the certificate in the {install-dir}/profiles/IS_default/configuration/tomcat/conf folder.

4. Restart the memcached server and start the AgileApps application server.

Learn More

• Certificate Signing Request (CSR) Generation Instructions-Tomcat, at
  https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR227