Upload an SSL Certificate

***This article is for Access Manager 1.1 if you are looking for the instructions for Access Manager 1.2 please use THIS ARTICLE***

This article shows you how to upload a PEM certificate into your Access Manager server starting right from step one, generating the initial CSR. If you already have a valid signed certificate then jump to step 2. If you have a PFX or P12 certificate please follow the article titled, Upload a PFX, P12 Certificate.

Step 1: Generate CSR

1. Log into the VM admin console (https://<server>:10000/) and access 'PKI Certificate and Key Management -> Generate Key and Certificate Signing Request (CSR)'



2. Set key size to 2048 and enter the requested information:

  • Common Name: The fully-qualified domain name, or URL, you're securing.
    If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.coolexample.com.
  • Organization: The legally-registered name for your business. If you are enrolling as an individual, enter the certificate requestor's name.
  • Organization Unit: If applicable, enter the DBA (doing business as) name.
  • City or Locality: Name of the city where your organization is registered/located. Do not abbreviate.
  • State or Province: Name of the state or province where your organization is located. Do not abbreviate.
  • Country: The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered.

DO NOT set a password

3. Click 'Generate CSR'

4. Click Continue and then 'Download'

5. Use File -> Save Page As in your browser menu (or copy all the text) and save the CSR .pem file

6. Get this CSR signed by a CA such as GoDaddy.


Step 2:Uploading Root or Intermediate PEM Certificates

If you have a root or intermediate certificate to upload these need to be uploaded first.

The following 2 steps use the same form to upload your CA's root and intermediate certificates as well as your issued certificate. Navigate to PKI Certificate and Key Management -> Import Key or Signed Certificate

It is important that you upload using the "Upload Certificate" button for all the following steps. Do not use the "Upload Key" option as it will overwrite your private key and require that you reset it and have your CA re-issue your certificate.



1. Click 'Browse' next to the "Certificate file to upload" field to select your root or intermediate certificates.

2. Change the "Destination directory of the certificate to:

  •  /etc/ssl/certs/java

3. DO NOT change the destination file name of the certificate

4. Click 'Upload Certificate"


Step 3:Uploading your Certificate

For secure, trusted access you must install an SSL server certificate on the Nervepoint Access Manager server. The uploaded certificate file must have the following characteristics:

  • The server certificate must be issued by a Certification Authority (CA) that is trusted by end users. For best results, use a commercial CA such as VeriSign, Thawte or GeoTrust.
  • The certificate must be in Privacy Enhanced Mail (PEM) format, a text-based format that is a Base64 encoding of the binary Distinguished Encoding Rules (DER) format. (If your certificate is in PFX or P12 follow the article titled, Upload a PFX or P12 Certificate.
  • The certificate file must include a private key and the private key must not be encrypted. There should be no password required to use the PEM file.

To upload your certificate issued by your CA using the same form in step 2:


1. Click 'Browse' next to the "Certificate file to upload" field to select your certificate.

2. Ensure the "Destination directory of the certificate" shows:

  •  /etc/ssl/certs

3. DO NOT change the destination file name of the certificate

4. Click 'Upload Certificate"


The Nervepoint server will notice the change and force a restart of the server after which the SSL certificates will be in use.

If you have problems you can reset the certificate from "PKI Certificate and Key Management -> Generate Self Signed Certificate and Key". You will need to go through the above process again.

Have more questions? Submit a request


Powered by Zendesk