How to: Install Private Root CA into ADManager Plus

Frustrated by the lack of documentation by Adventnet on this topic, I decided to dig into and discover the proper procedure on installing an SSL certificate that would work for their ADManagerPlus application. Having some previous experience with Java certificate stores, I used that knowledge to complete the task. If you are like me, I tried to use Adventnet’s documentation but kept getting stuck on how to embed the Root CA correctly (knowing this from the fact that https revealed an untrusted certificate!). This is the process I followed to get ADManagerPlus working with our private Root CA…

  1. Shutdown ADMangerPlus if it is currently running
  2. Open a command prompt and navigate to C:AdventNetADManagerPlusjrebin
  3. Execute the following command:keytool -genkey -alias tomcat -keyalg RSA -keystore admp.keystore   

  4. Enter a keystore password. Instead of “your name”, use the FQDN of the server that ADManagerPlus runs on. If a typo is entered just hit CTRL+C to kill the process and the keystore will not be created (until the very end). If at the end and the keystore is fubar’d just delete and start over.
  5. Execute the following command:
    keytool -certreq -keyalg RSA -alias tomcat -file certkey.txt -keystore admp.keystore
  6. Enter the keystore password from step 4.
  7. In steps 8-13, access the private CA with domain admin credentials or higher in order to view server-based certificates, otherwise only user based certificates will be available (user, basic EFS).
  8. Open Internet Explorer (using domain admin privileges) and select the private CA address (http://mycertserver/certsrv where mycertserver is the Windows server hosting Certificate Services).
  9. Next, get a copy of the Root CA and save it to the same path as seen in the command prompt: Select the link “Download a CA certificate, certificate chain, or CRL” then select “Download CA certificate” and save it (certnew.cer) to C:AdventNetADManagerPlusjrebin.
  10. Next, request a certificate from the CA. The easiest way to do this is to just hit the “back” button in Internet Explorer. Select “Request a certificate” and then “advanced certificate request”.
  11. Now select “ Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.”
  12. Now open the certkey.txt file (from step 5) and copy and paste the contents into the first text box. Next, under ” Certificate Template” select “Web Server” and then click the Submit button at the bottom.
  13. The page will now present download links to the certificate. Select the “Download certificate chain” link and save the file (certnew.p7b) to C:AdventNetADManagerPlusjrebin.
  14. Now go back to the command prompt and execute the following command:keytool -import -alias tomcat -keystore admp.keystore -trustcacerts -file certnew.p7b   

  15. It is requisite that the private CA’s root certificate is added to the list of trusted CAs in the Java cacerts file. The Java cacerts file uses the standard changeit password for access. Type the following command (selecting any desired alias name):keytool -import -alias admpcacert -keystore ..libsecuritycacerts -file certnew.cer   

  16. Verify the certificate signing by entering the following command:

keytool -list -v -keystore admp.keystore -storepass password (password from step 4)

Two certificates should be listed, the first being the ADManagerPlus web server certificate and the second being the Root CA certificate. Syntax will be as follows:

Entry type: keyEntry

Certificate chain length: 2

Certificate[1]:

Certificate[2]:

 

If the certificate chain length is 1, go back through the steps to determine potential errors. Do not proceed with these final four steps or the ADManagerPluse server service will hang (and lock) at startup.

  1. Once the certificate signing is verified, open Windows Explorer and rename both the server.xml (to serverxml.old) file and the server.keystore (to serverkeystore.old) file in the C:AdventNetADManagerPlusconf directory.
  2. Now copy the admp.keystore file from C:AdventNetADManagerPlusjrebin in to C:AdventNetADManagerPlusconf directory.
  3. Edit the server.xml file from C:AdventNetADManagerPlusconf using any text editor. Scroll to the bottom of the file and look for the line that begins with  “<Connector acceptCount”.
  4. Scroll to the section of the line that says “keystoreFile=”./conf/server.keystore” keystorePass=”adventnet” . Change the server.keystore to admp.keystore and change the password to match the one set in step 4. Save and close the file.

 That completes both the Root CA installation and the certificate keystore installation. Re-start ADManagerPlus service and access the FQDN of the ADManagerPlus server via web browser.

Leave a Reply

Your email address will not be published. Required fields are marked *