Using existing ssl certificate with ServiceDesk

Using existing ssl certificate with ServiceDesk

Hi all,

I have been having a lot of troubles trying to get SSL to work with servicedesk plus and have eventually found a solution that I thought may be helpful to others.

The information contained within this post draws on information provided by multiple sources including the FAQ from ManageEngine and external sites such as http://www.startux.de/index.php/java/44-dealing-with-java-keystoresyvComment44 by Stefan Reimer.

The source of my particular problem is that I need to use a wildcard SSL certificate that was generated using AutoCSR. All of the guides I have found from ManageEngine assume you want the keytool to generate the CSR for you. This in turn leads to errors on importing your own certificate due to mismatches between the public and private keys.

So heres what I did

Shutdown Service Desk if running

Step 1: Get your Certficiate and Private Key

I started off with having my Certificate and Private key from Global Sign as a standard text file. The keys were just pasted into notepad and saved as cert.pem and key.pem respectively.

Step 2: Install OpenSSL

Download and install openssl from

http://gnuwin32.sourceforge.net/packages/openssl.htm

Step 3: Convert Keys

Open a command prompt

cd \Program Files\GNUWIN32\Bin

To make things easier I also placed the cert.pem and key.pem into this same directory so I didnt have to mess around with paths when running the openssl program

Run the following commands

openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER

 

openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

This changes the format from PEM to DER for each key which is needed in the next step.

Step 4: Compile ImportKey

Natively keytool doesnt allow you to import private keys into the keystore so you will need a java program called ImportKey to do this for you. This program is source code only so will need to be compiled.

So download and install the JDK (Java Development Kit) if you have not done so already. Download the file ImportKey from http://www.startux.de/images/phocadownload/importkey.java and place in the bin directory where JDK installed (same folder that has the javac.exe file which on my system is \Program Files\Java\jdk1.6.0_17\bin)

Open Command Prompt

cd \program files\java\jdk1.6.0_17\bin

and use command (note that this is case sensative)

javac ImportKey.java

This will now create a ImportKey.class file which can be run to import the two DER keys into a new keystore

Step 5: Copy DER files to ImportKey.Class location

Copy the cert.der and key.der files created earlier into the same folder as the ImportKey.class folder e.g.

C:\Program Files\Java\jdk1.6.0_17\bin

Step 6: Run ImportKey

From the command prompt run

java ImportKey key.der cert.der tomcat sdp.keystore changeit

This will create a new keystore called sdp.keystore with password of changeit. The certificate will be imported under the alias of tomcat.

Step 7: Verify Keystore

verify the keystore using command

keytool -list -keystore sdp.keystore

enter the password when prompted: changeit

You should see the one key you imported under its alias with no errors

Step 8: Copy sdp.keystore

Copy the sdp.keystore file that was just created to the following location

<ServiceDesk_Home>\server\default\conf

Step 9: Change WebServerPort

cd \manageengine\servicedesk\bin

run command

changewebserverport 443 https

Step 10: Edit Server.XML

Open the server.xml file within the folder

<ServiceDesk_Home>\server\default\deploy\jbossweb-tomcat50.sar\server.xml

Look for the value keystorepass and change the associated entry to "changeit"

Step 11: Restart ServiceDesk

Restart the service desk

I hope this helps anyone else out there who have been been struggling with similar problems as me. I have not had to import my root or intermediate certificate to get this to work but that may be different for other users.

 

              New to ADManager Plus?

                New to ADSelfService Plus?