MOVEit Automation Web Admin Help

Update the MOVEit Automation Web Admin SSL/TLS Certificate

Save PDF

Update the MOVEit Automation Web Admin SSL/TLS Certificate

Save PDF

Last Updated: June 5, 2026
4 minute read

MOVEit Automation
Version 2026
Documentation

For use in production environments, you should install a certificate from a trusted certificate authority.

The trusted certificate for the Web Admin Server can be installed during installation or manually imported into Tomcat after installation.

On Windows Server systems, SSL/TLS certificates are typically prepared and managed using Windows-native tools. Ensure that the certificate is available in a Windows-compatible format, such as .pfx, before proceeding.

For information about configuring Apache Tomcat with SSL/TLS see, https://tomcat.apache.org/tomcat-10.1-doc/ssl-howto.html

Choose from one of the following procedures to import the certificate into Tomcat:

For MOVEit Automation 2024.1 and newer, or versions already converted to use PFX, MOVEit Automation uses Tomcat's native ability to use PFX formatted certificates. Use Import an SSL/TLS Certificate into Tomcat for new installations, upgrades, and previously converted installations using PFX keystores.
For MOVEit Automation 2024.0 and older, or versions using PEM, use Import an SSL/TLS Certificate into Tomcat for upgrades using PEM certs and converting existing installs to use PFX certificates.

Prerequisites

You must have a .pfx or .p12 file that contains:
- the public certificate,
- its private key,
- and the intermediate certificates in the certificate path.
You must know the password for the certificate file. For information about exporting a server certificate from the Windows Certificate Store, see How do I Import and Export Server SSL Certificates?
Certificates are typically exported from the Windows Certificate Store in .pfx format with the private key included.
Stop the MOVEit Automaton service using Windows Services. For more information, see Starting and Stopping.

Import an SSL/TLS Certificate into Tomcat for new installations, upgrades, and previously converted installations using PFX keystores

Although Tomcat commonly uses PEM certificates, MOVEit Automation uses .pfx certificates in Windows environments to align with standard Windows practices.

This procedure assumes that the certificate is already in .pfx format and includes the private key.

Backup the current SSL/TLS certificate located in the Tomcat\certs directory.
Select from the following options:
1. If you know the credentials of the current SSL/TLS certificate
  1. Rename the certificate. For example, cert.pfx to cert-expired.pfx
  2. Save the new pfx certificate into the Tomcat\certs directory with the same name and password as the original certificate.
2. If you do not know the credentials of the current SSL/TLS certificate
  1. Save the new pfx certificate into the Tomcat\certs directory using a new unique name and password.
    The password cannot contain the < or > characters.
  2. Navigate to the Tomcat\conf directory.
  3. Backup the existing server.xml file before making any changes.
  4. Open the server.xml in a text editor as an administrator.
    Note: To open the server.xml file as an administrator, open the text editor as an administrator and then open the server.xml file in the text editor.
  5. Locate the connector tag for port 443 (or the port configured for Tomcat to listen on). Navigate to the Certificate tag: Connector > SSLHostConfig > Certificate.
  6. Locate the CertificateKeyStoreFile attribute in the Connector’s Certificate tag, and update its value to the name of the .pfx or .p12 in step i.
  7. Locate the CertificateKeyStorePasswordattribute in the same Certificate tag, and update its value to the password of the .pfx or .p12 in step i.
  8. Save the changes to the server.xml file.
Restart MOVEit Automation Web Admin service using Windows services.
To confirm that the correct updated certificate is in place, open Web Admin in a browser.

Import an SSL/TLS Certificate into Tomcat for upgrades using PEM certs and converting existing installs to use PFX certificates

Use this procedure only when converting an existing installation from PEM-based certificates to .pfx. For Windows-based deployments, .pfx is the recommended format.

Save the new pfx certificate into the Tomcat\certs directory using a new unique name and password. The password cannot contain the < or > characters.
Navigate to the Tomcat\conf directory.
Backup the existing server.xml file before making any changes. Create an additional copy of the server.xml file to edit. . Do not directly edit the server.xml in the Tomcat folder.
Open the server.xml in a text editor as an administrator.
Note: To open the server.xml file as an administrator, open the text editor as an administrator and then open the server.xml file in the text editor.

Locate the connector tag for port 443, or whatever port is configured for Tomcat to listen on. Navigate to the Certificate tag: Connector > SSLHostConfig > Certificate. For example:

 <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" maxThreads="150" compression="on" compressionMinSize="1024" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/x-javascript,application/javascript">
	<SSLHostConfig sslProtocol="TLSv1.2" honorCipherOrder="true" ciphers="ALL:!ADH:!SSLv2:!EXP:!LOW:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!DH:!IDEA:!aNULL:!NULL">
		<Certificate certificateFile="${catalina.home}\certs\servercert.pem" certificateKeyFile="${catalina.home}\certs\serverkey.pem" certificateKeyPassword="keyPassword"/>
	</SSLHostConfig>
</Connector>

Remove the following attributes and their values from the Certificate tag:
- CertificateFile="${catalina.home}\certs\servercert.pem"
- CertificateKeyFile= "${catalina.home}\certs\serverkey.pem"
- CertificateKeyPassword="keyPassword"

Add the following attributes, and their appropriate values:

certificateKeystoreFile="${catalina.home}\certs\your_new_pfx_file.pfx"
certificateKeystoreType="PKCS12"
certificateKeystorePassword="Your new PFX private key password"

The result will look like this example:

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" maxThreads="150" compression="on" compressionMinSize="1024" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/x-javascript,application/javascript">
	<SSLHostConfig sslProtocol="TLSv1.2+TLSv1.3" honorCipherOrder="true" ciphers="ALL:!ADH:!SSLv2:!EXP:!LOW:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!DH:!IDEA:!aNULL:!NULL">
		<Certificate certificateKeystoreFile="${catalina.home}\certs\servercert.pfx" certificateKeystorePassword="keystorePassword" certificateKeystoreType="PKCS12"/>
	</SSLHostConfig>
</Connector>

Save the updated server.xml file to the Tomcat\conf directory. If prompted to overwrite the existing files, click Yes.

Restart MOVEit Automation Web Admin using Windows services.
To confirm that the correct updated certificate is in place, open Web Admin in a browser.

Troubleshooting

If the Web Admin service fails to start, it may be due to server.xml file permissions, which can be removed during the copy process. To resolve this, right-click the server.xml file, go to Properties > Security. Edit the permissions to add Full control permissions to Administrators and System. Start the Web Admin service.