Hi all,
I have been having a lot of troubles trying to get SSL to work with servicedesk plus and have eventually found a solution that I thought may be helpful to others.
The information contained within this post draws on information provided by multiple sources including the FAQ from ManageEngine and external sites such as http://www.startux.de/index.php/java/44-dealing-with-java-keystoresyvComment44 by Stefan Reimer.
The source of my particular problem is that I need to use a wildcard SSL certificate that was generated using AutoCSR. All of the guides I have found from ManageEngine assume you want the keytool to generate the CSR for you. This in turn leads to errors on importing your own certificate due to mismatches between the public and private keys.
So heres what I did
Shutdown Service Desk if running
Step 1: Get your Certficiate and Private Key
I started off with having my Certificate and Private key from Global Sign as a standard text file. The keys were just pasted into notepad and saved as cert.pem and key.pem respectively.
Step 2: Install OpenSSL
Download and install openssl from
http://gnuwin32.sourceforge.net/packages/openssl.htm
Step 3: Convert Keys
Open a command prompt
cd \Program Files\GNUWIN32\Bin
To make things easier I also placed the cert.pem and key.pem into this same directory so I didnt have to mess around with paths when running the openssl program
Run the following commands
openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER
openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER
This changes the format from PEM to DER for each key which is needed in the next step.
Step 4: Compile ImportKey
Natively keytool doesnt allow you to import private keys into the keystore so you will need a java program called ImportKey to do this for you. This program is source code only so will need to be compiled.
So download and install the JDK (Java Development Kit) if you have not done so already. Download the file ImportKey from http://www.startux.de/images/phocadownload/importkey.java and place in the bin directory where JDK installed (same folder that has the javac.exe file which on my system is \Program Files\Java\jdk1.6.0_17\bin)
Open Command Prompt
cd \program files\java\jdk1.6.0_17\bin
and use command (note that this is case sensative)
javac ImportKey.java
This will now create a ImportKey.class file which can be run to import the two DER keys into a new keystore
Step 5: Copy DER files to ImportKey.Class location
Copy the cert.der and key.der files created earlier into the same folder as the ImportKey.class folder e.g.
C:\Program Files\Java\jdk1.6.0_17\bin
Step 6: Run ImportKey
From the command prompt run
java ImportKey key.der cert.der tomcat sdp.keystore changeit
This will create a new keystore called sdp.keystore with password of changeit. The certificate will be imported under the alias of tomcat.
Step 7: Verify Keystore
verify the keystore using command
keytool -list -keystore sdp.keystore
enter the password when prompted: changeit
You should see the one key you imported under its alias with no errors
Step 8: Copy sdp.keystore
Copy the sdp.keystore file that was just created to the following location
<ServiceDesk_Home>\server\default\conf
Step 9: Change WebServerPort
cd \manageengine\servicedesk\bin
run command
changewebserverport 443 https
Step 10: Edit Server.XML
Open the server.xml file within the folder
<ServiceDesk_Home>\server\default\deploy\jbossweb-tomcat50.sar\server.xml
Look for the value keystorepass and change the associated entry to "changeit"
Step 11: Restart ServiceDesk
Restart the service desk
I hope this helps anyone else out there who have been been struggling with similar problems as me. I have not had to import my root or intermediate certificate to get this to work but that may be different for other users.