Create SSL certificate for Web UI

Document ID : KB000015487
Last Modified Date : 06/03/2018
Show Technical Document Details

Add a signed certificate to CA Workload Automation DE Web Client (Web UI).  Using SSL connection is highly recommended when accessing the DE Web Client.


How to add a CA (Certificate Authority) signed certificate to CA WA DE Web Client?

CA Workload Automation DE R12 SP2 or above CA Workload Automation DE Web Client R12 or above

The DE Web Client is Apache-Tomcat application.  You will use the keytool utility to generate the certificate.


cd <de_web_ui_dir>/jre/bin

./keytool -genkey -alias alias_name -keyalg RSA -keystore your_keystore -keysize 2048


Note: Change the alias_name to your hostname or something unique.  Aliases within the keystore must be unique.

Answer all the questions that follow the keytool command.

You will be prompted to enter keystore password.  Be sure to remember or make a note of it.  If you forget the password, you will not be able to access the keystore.

Next generate the Customer Signing Request (CSR).

keytool -certreq -alias alias_name -file request.csr  -keystore your_keystore


This will generate the CSR.  Submit the CSR to CA (Certificate Authority) for signing.  The CA will sign the certificate and may provide root, intermediate and public certificate.  They may also provide instructions on how to import them.


keytool -import -trustcacerts -alias root -file ca_root.crt -keystore your_keystore

keytool -import -trustcacerts -alias intermediate -file ca_Intermediate.crt -keystore your_keystore

keytool -import -trustcacerts -alias alias_name -file -keystore your_keystore


Add the CA Signed certificate to Apache-Tomcat (Web UI)

Navigate to install directory and then to apache-tomcat/conf

cd <DE_WebUI_dir>/apache-tomcat/conf

Edit the file “server.xml”,  and find the code.

<Connector port="8443" protocol="HTTP/1.1"


Under the connector port section, look for:







Change the keyAlias name to what was used when generating the certificate.  The alias name must match.

The path to keystore file must be correct.  Provide the same password that was used when the keystore was created.  Usual default password is 'changeit'.


Save the ‘server.xml’, and then restart the DE Web UI.


In your browser visit


If successful, the browser address bar will display a safety lock sign.