Did you know - How to apply self-signed SSL certificate?

Self-signed(Internal CA) SSL certificate for ADSelfService Plus can be applied in five steps. They are:

Step 1: Enable SSL in ADSelfService Plus

Log in to ADSelfService Plus with admin credentials.
Navigate to Admin tab -> Product Settings -> Connection.[Refer image]
Select Enable SSL Port [HTTPS] checkbox.
Click Save and restart ADSelfService Plus.
Note: The default port for https connection in our application is 9251.

Step 2: Generate CSR file

Start ADSelfService Plus and log in as admin.
Again, navigate to Admin -> Product Settings -> Connection.
Click SSL Certification Tool button.
In the SSL Tool & Guide page that opens up, enter all the mandatory fields.[Refer image]
Provide a value for the validity of the certificate in days(optional).
Update the value for Public Key Length as 2048 bits(recommended).
Click Generate CSR.
Two files namely SelfService.csr and SelfService.keystore will be created.
Note: The two files will be created at different locations.

- SelfService.csr at <installation directory>Webapps\adssp \Certficates\SelfService.csr

- SelfService.keystore at <installation directory>JRE\Bin

Step 3: Submit CSR to your certificate authority

Log in to Microsoft Certificate Services (https:\\server-name\cersrv).
Click Request a Certificate -> Advanced Certificate Request.[Refer image]
Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Paste the contents of your SelfService.csr file in the Saved Request field.[Refer image]
Note: It's always recommended to open the CSR file from its native location using a text editor rather than opening from the browser. Also, when you copy the contents of SelfService.csr file, please ensure that no additional space from the end of the file is also copied along with it.
Set the certificate template as Web Server and click Submit.
In the Certificate Issued page that appears, select DER encoded.[Refer image]

- Click Download certificate to download the certificate in CER file format.

- Click Download certificate chain to download the certificates in a P7B file format,

Place the certificate files at <Install Directory>\jre\bin.
Note: Convert your certificate from CER to P7B format. Follow the steps given here.

Step 4: Import the CA-signed Internal certificates to the keystore

Open an elevated command prompt and navigate to <Install Directory>\jre\bin.
Back up the SelfService.keystore file.
Execute the following command to import the internal certificate to keystore file:

Keytool -import -alias tomcat -trustcacerts -file certnew.p7b -keystore selfservice.keystore

Execute the following command to add your internal CA's root file to the list of trusted CAs in the Java cacerts file:

keytool -import -alias -keystore ..\lib\security\cacerts -file certnew.cer

Note: Use "changeit" as the password when you install the Chain Certificate.

Step 5: Bind the certificate with ADSelfService Plus

Copy the SelfService.Keystore file to: <Install Directory>\conf.
Back up the server.xml and web.xml files.
Edit the server.xml file (at <Install Directory>\conf) by replacing the values of the following SSL connector tags:

-"keystoreFile" with "./conf/SelfService.keystore".

-"keystorePass" with the password you entered while generating CSR.

Eg: <Connector SSLEnabled="true" acceptcount="100" clientauth="false" connectiontimeout="20000" debug="0" disableuploadtimeout="true" enablelookups="false" keystorefile="./conf/selfservice.keystore" keystorepass="keystore_password" maxsparethreads="75" maxthreads="150" minsparethreads="25" name="SSL" port="9251" scheme="https" secure="true" sslprotocol="TLS" sslprotocols="TLSv1,TLSv1.1,TLSv1.2"><connector>