Tech Tip – How to obtain and import a Trusted Certificate for CA SSO Administrative UI

openssl certificate

This scenario helps the CA Single Sign-On security Administrator to replace Administrative UI server’s default self-signed certificate with a certificate signed by a trusted Certificate Authority (CA). A trusted certificate ensures a secure connection to the Administrative UI .

  • Product: CA Single Sign-On Administrative UI
  • Release: 12.52SP2 and above
  • OS: All supported operating systems

1.  Stop Administrative UI service.

2.  Backup existing Key Store

CA Single Sign-On Administrative UI stores it’s certificate in keyStore.jks file located at $AdminUI_Install_Directory$\standalone\configuration folder.

Before proceeding with replacing the self-signed certificate with the trusted certificate, backup this keyStore.jks file.

3.  List current entries from the keystore

Start a command prompt as Administrator and go to following folder:


Then, execute following command to list current entries from the keystore


keytool -list -keystore keyStore.jks -storepass changeit -v



  • The default keystore password is “changeit”
  • The alias for the default self-signed certificate and keypair is “tomcat”

keytool_listcerts iamtechtips

4.  Delete current self-signed certificate and key pair from the keystore

Run the following command to delete the current self-signed certificate and keypair


keytool -delete -alias tomcat -keystore keyStore.jks -storepass changeit -v



5.  Generate a Key Pair and a Self-Signed Certificate

Generate a key pair (public and private keys) and a self-signed certificate and store in the CA Single Sign-On Administrative UI keystore using the following keytool command.


keytool -genkeypair -alias JBoss_Key -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -dname "" -keypass changeit -validity 7300 -keystore keyStore.jks -storepass changeit -v



  • We changed the alias for the new self-signed certificate to “JBoss_Key”.
  • Keypass (-keypass) must be same as the key store (-storepass) password
  • Ensure that hostname (-dname) matches the FQDN of your Administrative UI server

generate_keypair_certs iamtechtips


A key pair and a self-signed certificate are generated and stored in the keystore.

6.  Go to $AdminUI_Install_Directory$\standalone\configuration and edit standalone-full.xml



<keystore <strong>alias="tomcat"</strong> key-password="changeit" keystore-password="changeit" path="keyStore.jks" relative-to="jboss.server.config.dir"/>




<keystore <strong>alias="jboss_key"</strong> key-password="changeit" keystore-password="changeit" path="keyStore.jks" relative-to="jboss.server.config.dir"/>


7.  Start the SiteMinder Administrative UI service and verify if the new self-signed certificate is into effect.

Now, if you want to replace the self-signed certificate just created with the trusted certificate signed by Certificate Authority then proceed with the below steps.

8.  Stop Administrative UI.

9.  Generate and Submit a Certificate Signing Request to a Certificate Authority

Generate a PKCS#10 Certificate Signing Request file using the following keytool command and submit to a trusted CA. CA uses the CSR file to generate a signed certificate identifying your server as secure.


keytool -certreq -alias JBoss_Key -sigalg SHA1withRSA -file adminui_certreq.p10 -keystore keyStore.jks -storepass changeit -v


A CSR file “adminui_certreq.p10” is generated.

10. Submit the “adminui_certreq.p10” CSR file to a trusted CA for signing.

11. When you receive the signed certificate from CA, run the following command to import it.


keytool -importcert -alias JBoss_Key -file adminui_cert.p7b -keystore keyStore.jks -storepass changeit -v



  • adminui_cert.p7b is the signed certificate request from CA in PKCS#7 format. PKCS#7 format contains the server certificates, intermediate certificate (if any) and root certificates.
  • If only server certificate is provided, then you might need to separately import the intermediate and root certificate as well.
  • This overwrites the previously created self-signed certificate with the certificate provided by the CA.

12. Start Administrative UI service and verify if the new trusted certificate is into effect.


Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Leave a Reply

Your email address will not be published.