Use self-signed or privately-signed certificates with Active Directory

If you configure your AD integration to connect to your server using SSL, you may need to import your server's certificate into a new truststore to be used by the Contrast JRE.

1. Acquire the server's certificate from your administrators in PKCS#12 format. If you're using a self-signed certificate, this will be the actual AD server's certificate. If you have a private CA, you need the CA certificate for that server.

2. Once you have the certificate for the server, create a truststore that contains that certificate. Run the following commands as an administrator from a command shell in the directory where Contrast is installed.

$mkdir data/conf/ssl$ jre/bin/keytool -import -file <path to certificate> -alias <hostname> \
-keystore data/conf/ssl/truststore.jks
3. After you create your truststore containing either your server's or CA certificate, add the following lines into the bin/contrast-server.vmoptions file:

-Djavax.net.ssl.trustStore=<full path to truststore>
-Djavax.net.ssl.trustStorePassword=<password you set for the trustStore, if any>
4. You should now restart the Contrast server service, and verify that queries against AD will use SSL.