Certificate not trusted warning – How to Import wildcard certificate into Tomcat (BOBJ web application server)

The document discusses on how to enable https on BOBJ web application server and import the wild card CA trusted certificate.

Enabling the https

Enabling https on the web application (Tomcat in this case) requires generation of key store and self-signed certificates using in-built keytool or openssl

Using command line navigate to <installdir>\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin

Run the below command, this will generate a keystore.jks file at keytool home directory, copy it to another folder say (C:/SSL)

keytool -genkey -alias tomcat -keyalg RSA –keystore keystore.jks

Export the .crt self-signed certificate using the below command

keytool –export -alias tomcat -keystore c:\SSL\Keystore.jks -file c:\ssl\tomcat.crt

A self-signed certificate tomcat.crt will be stored under C:\SSL folder.

Stop the tomcat

Open server.xml file. Location – <Tomcathome>/conf

Uncomment the https entry and add the below parameter.

keystoreFile= “location of keystore.jks file” keystorePass=”password”

Restart the tomcat, now https links to BI-Launchpad and CMC should work



Importing the wild card certificate

By following the above process, https links will work as expected. However, a certificate not-trusted warning will appear on the browser which is expected. The reason for this is Tomcat certificate is self-signed but not CA signed

To overcome this error, you can create .CSR file and send it to CA providers , who in return provide certified CRT files. Use the below commands to import the same

Keytool –import –trustcacert –alias tomcat –keystore keystore.jks –file cacertified.crt

If you have root certificate, please import the same into root alias.

Most of time, internal CA have wildcard certificates for the domain already, importing those will be little bit tricky. Importing the wildcard certificate into same alias will give “Public keys mismatch error”. Please follow the below process to import.

Using Openssl tool convert the required wildcard.crt certificate into pfx format

openssl pkcs12 -export -in wildcard.crt -inkey wildcard.key -out C:\SSL\wildcard.pfx

the above command will generate a wildcard.pfx under C:\SSL folder.

Stop the tomcat and make the below changes to https entries

keystoreType =”PKCS12” keystoreFile=”wildcard.pfx” keystorePass=”password”

Restart the tomcat.

All set, now the tomcat will be using the internal wildcard certificate.

 Karthik Addula


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s