Use self-signed or privately-signed certificates with Active Directory

If you configure your AD integration to connect to your server using SSL, you may need to import your server's certificate into a new truststore to be used by the Contrast JRE.

  1. Acquire the server's certificate from your administrators in PKCS#12 format. If you're using a self-signed certificate, this will be the actual AD server's certificate. If you have a private CA, you need the CA certificate for that server.

  2. Once you have the certificate for the server, create a truststore that contains that certificate. Run the following commands as an administrator from a command shell in the directory where Contrast is installed.

    $ mkdir data/conf/ssl
    $ jre/bin/keytool -import -file <path to certificate> -alias <hostname> \
      -keystore data/conf/ssl/truststore.jks
  3. After you create your truststore containing either your server's or CA certificate, add the following lines into the bin/contrast-server.vmoptions file:<full path to truststore><password you set for the trustStore, if any>
  4. You should now restart the Contrast server service, and verify that queries against AD will use SSL.