For use in production environments, you should install a certificate from a trusted certificate authority.

The trusted certificate for the Web Admin Server can be installed during installation or manually imported into Tomcat after installation.

For information about configuring Apache Tomcat with SSL/TLS see, https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

To import the certificate into Tomcat, complete the following procedure.

Prerequisites

You must have a .pfx or .p12 file that contains the public certificate, its private key, and the intermediate certificates in the Certificate path. The certificate password must be known before you begin this procedure. For information about exporting a server certificate from the Windows Certificate Store, see How do I Import and Export Server SSL Certificates?

Import the Certificate into the Tomcat service

  1. Save the .pfx or .p12 in the \Tomcat\certs folder in the of the folder where MOVEit Automation is installed. For example, C:\Program Files\MOVEit\MOVEit Automation Web Admin\Tomcat\certs
  2. To convert the .pfx or .p12 certificate to a .pem file
    1. Open the command prompt and navigate to \Tomcat\bin folder.
    2. Run the following command

      openssl pkcs12 -in ..\certs\cert.­pfx​​ -out ..\certs\serverchain.­​​pem

      The serverchain.pem file is created in the \Tomcat\certs folder

  3. Ignore the config file warning.
  4. Enter the Import Password for the certificate. This is the password that was specified when the certificate was exported.
  5. When prompted enter a password to protect the private key in the output .pem file. Do not use the < or > characters, as they can cause parsing errors in the Tomcat configuration.
  6. Open the serverchain.­pem file in an XML editor.
  7. Cut and paste the private key from the serverchain.­pem file to a new file named serverkey.­pem in the same folder.

    The serverkey.­pem file example:

    Bag Attributes

    Microsoft Local Key set: <No Values>

    localKeyID: 01 00 00 00

    friendlyName: certname

    Microsoft CSP Name: Microsoft Base Cryptographic Provider v1.0

    Key Attributes

    X509v3 Key Usage: 10

    -----BEGIN ENCRYPTED PRIVATE KEY-----

    MIICxjBABgkqhkiG9w0BBQ...

    [more random characters here]

    -----END ENCRYPTED PRIVATE KEY-----

  8. Cut and paste the first certificate from the serverchain.­pem file to a new file named servercert.­pem in the same folder.

    The serverkey.­pem file example:

    Bag Attributes

    localKeyID: 01 00 00 00

    1.3.6.1.4.1.311.17.3.92: 00 04 00 00

    1.3.6.1.4.1.311.17.3.20: 84 50 57 C7 D4 6F 0E D8 5E 01 D9 8B DE AA BE 41 66 BD 6C E5

    subject=/CN=test

    issuer=/CN=org

    -----BEGIN CERTIFICATE-----

    MIIBlTCB/6ADAgECAgRSKEl3MA0GCSqGSIb3DQEBBQUAMBAxDjAMBgNVBAMTBXRo

    b3JnMB4XDTEzMDkwNTA5MDU1OVoXDTE0MDkwNTA5MDU1OVowDzENMAsGA1UEAxME

    dGVzdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAlee0L6SVSEvE2IzZisnr

    ByUUEDkWaPK5d+OV93LdR1evp7GrCSyAi6CItJd01W7/PU1gOFwTxOBncu+jDkHs

    M2VgV16RRald2eW0/UyCAvbWy9mgI6Z3R6ffV11OiQyAZM6xTXhGmvJxCoUoMp3G

    mTNEU+0+6VNsCBAD1+MYIKUCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBLZIfPbg6T

    Ej8CZZ3BJl2aDCUym90kF6WIdEPpqHK0e76SPPgMEGJas3sY4cIQvBxPxG7epWAt

    d/OGGNz/4WRN9vzhU26Md3uNHRl2QfykGyetSZj48RkG/4wy1GueIAKcYgtfUjNo

    ylXgj+8jM4AGfesetIcOkz3U/X1hDHfQzg==

    -----END CERTIFICATE-----

  9. There are two remaining certificates. Cut and paste the second certificate from the serverchain.­pem file to above the first certificate. Cut and paste starting with the Bag Attributes and including the -----END CERTIFICATE----
    Note: If there are more than two certificates remaining, run an SSL checker against the main SSL/TLS certificate to get a list of the correct certificates and remove the one that is not required. Most certificate providers have an SSL checker than can be used to complete this process.
  10. Open the Tomcat\conf\server.xml file in a text editor.

    Ensure you are editing the connector used for HTTPS (typically port 443).

    Note: To open the server.xml file, open the text editor as an administrator and then open the server.xml file in the text editor.
    1. Ensure that the connector paths are correct, for example,

      SSLCertificateFile= "${catalina.home}\certs\servercert.­pem​ "

      SSLCertificateKeyFile= "${catalina.home}\certs\serverkey.­pem​ "

      SSLCertificateChainFile= "${catalina.home}\certs\serverchain.­pem​ "

    2. If this is the first time that a certificate is imported, you may need to add the following line:

      SSLCertificateChainFile= "${catalina.home}\certs\serverchain.­pem​ "

    3. Edit the SSLPassword to match the password set in Step 5.
  11. Restart MOVEit Automation Web Admin service using Windows Services to apply the certificate changes.
  12. To confirm that the updated certificate is in use, access the Web Admin URL in a browser and verify the certificate details, or you can use an SSL checker.