Use self-signed or privately-signed certificates with Active Directory
If you configure your AD integration to connect to your server using SSL, you may need to import your server's certificate into a new truststore to be used by the Contrast JRE.
Acquire the server's certificate from your administrators in PKCS#12 format. If you're using a self-signed certificate, this will be the actual AD server's certificate. If you have a private CA, you need the CA certificate for that server.
Once you have the certificate for the server, create a truststore that contains that certificate. Run the following commands as an administrator from a command shell in the directory where Contrast is installed.
$ mkdir data/conf/ssl $ jre/bin/keytool -import -file <path to certificate> -alias <hostname> \ -keystore data/conf/ssl/truststore.jks
After you create your truststore containing either your server's or CA certificate, add the following lines into the bin/contrast-server.vmoptions file:
-Djavax.net.ssl.trustStore=<full path to truststore> -Djavax.net.ssl.trustStorePassword=<password you set for the trustStore, if any>
You should now restart the Contrast server service, and verify that queries against AD will use SSL.