How to Generate a Certificate Signing Request (CSR) in OpsCenter

  • Modified Date:
  • Article ID:000008423


How to Generate a Certificate Signing Request (CSR) in OpsCenter


Create a local Certificate Signing Request (CSR):

In order to obtain a Certificate from the Certificate Authority of your choice you have to create a Certificate Signing Request (CSR). That CSR will be used by the Certificate Authority to create a Certificate that will identify your website as "secure". Follow these steps:


Create a local Certificate

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore <your_keystore_filename>   

(See below for %JAVA_HOME% and the keystore file path)


The CSR is then created with:

%JAVA_HOME%\bin\keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore <your_keystore_filename>   


Now you have a file called certreq.csr. The file is encoded in PEM format. You can submit it to the Certificate Authority (look at the documentation of the Certificate Authority website on how to do this). In return you get a Certificate.


Importing the Certificate:

When you receive the Certificate you can import it into your local keystore. First of all you have to import a Chain Certificate or Root Certificate into your keystore. After that you can proceed with importing your Certificate.


Download a Chain Certificate from the Certificate Authority you obtained the Certificate from.

Import the Chain Certificate into your keystore

keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate_you_downloaded>


Finally import your new Certificate:

keytool -import -alias tomcat -keystore <your_keystore_filename> -trustcacerts -file < filename_of_the_certificate_you_downloaded>


Detailed Information of above commands:

Java provides a command-line tool called keytool to create a "self-signed" Certificate.

OpsCenter creates a self-signed certificate at  installation time, and customers can choose to replace this with their own self-signed certificates or the certificates they purchased from the Certificate Authority (CA).

OpsCenter certificates are stored under <install_path>\Symantec\OpsCenter\gui\Security\Keystore


The Tomcat configuration file is server.xml file:

OpsCenter updates the server.xml file to point the Tomcat server to the certificate location.

Here is an example of what you may see in the file install_path\Symantec\OpsCenter\gui\WebServer\conf\server.xml

keystorePass="opscenter" maxHttpHeaderSize="8192"                                        



You can specify an absolute pathname, or a relative pathname that is resolved against the $CATALINA_BASE environment variable. OpsCenter specifies absolute pathname of the certificate keystore as specified above in the OpsCenter Certificates sections.



Add this element if you used a different keystore (and Certificate) password than the one Tomcat expects (changeit). OpsCenter uses opscenter as a keystorePass.


To create a new keystore from scratch:

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore \path\to\my\keystore


The JAVA_HOME can be found in the install_path\Symantec\OpsCenter\gui\bin\OpsCenterGUIService.xml file

      <EnvVar name="JRE_HOME" value =

After executing this command, you will first be prompted for the keystore password.
You can specify a custom password if you like - you will also need to specify the custom password in the server.xml configuration file as explained above in the server.xml file section.


Next, you will be prompted for general information about this Certificate, such as company, contact name, and so on. This information will be displayed to users who attempt to access a secure page in your application, so make sure that the information provided here matches what they will expect.


Finally, you will be prompted for the key password, which is the password specifically for this Certificate (as opposed to any other Certificates stored in the same keystore file). You MUST use the same password here as was used for the keystore password itself. (Currently, the keytool prompt will tell you that pressing the ENTER key does this for you automatically.)


If everything was successful, you now have a keystore file with a Certificate that can be used by your server. 



Terms of use for this information are found in Legal Notices.



Did this article answer your question or resolve your issue?


Did this article save you the trouble of contacting technical support?


How can we make this article more helpful?

Email Address (Optional)