Generating and Importing an SSL Certificate signed by a Trusted Root Authority

Document created by gbockelmann Employee on Jun 22, 2012Last modified by chris_stevens on Apr 5, 2017
Version 2Show Document
  • View in full screen mode

You need to configure a web service listener or other connector that requires a SSL certificate signed by a trusted root authority.


What should you do in cases where a self signed certificate (or Boomi signed certificate) will not be accepted?

To generate and import an SSL certificate that is signed by a trusted root authority (like Verisign), you will need to generate a certificate signing request (CSR), submit that to the trusted provider and request/download the certificate in PKCS7 format (e.g. .p7b file). This will include a public and intermediate cert in one certificate. This certificate will need to be imported into the java cacerts key store. Alternatively, if you already have the public cert in a separate file (e.g. .pfx file) than the intermediate certs, you can import them both into the cacerts keystore separately. This should create a key with a certificate chain issued by the trusted root authority. The last step is to import this certificate into Boomi. Boomi requires certificates to be imported in .p12 file format. To do this, you will need to first generate a pkcs12 version of the keystore to create the .p12 file for import into Boomi. Please note that this is recommended for more advanced users.


  1. To determine which JRE the Atom is using, go to this directory path: <Atom Install>\.install4j\inst_jre.cfg
  2. To Modify the folder if necessary, open the file and change the filepath to the JRE Home folder you want to use.
  3. Find the cacerts file. It should be in your JAVA_HOME\jre\lib\security\cacerts, where JAVA_HOME is your java home directory for the JVM you're using.
  4. Make a backup of cacerts.
  5. For example if your JRE is in the C:\java7 directory, Open a command prompt and go to C:\java7\jre\bin\
  6. Replace the keystore path, KEYSTORENAME and –dname parameters in this command with your information (this –dname “….” option can be omitted if the trusted root authority requests this information when submitting the CSR) and run the following command to generate the key:
    keytool -genkey -dname "CN=HOSTNAME, OU=ORGUNIT, O=ORG, L=LOCATION, S=STATE, C=COUNTRY" -alias Boomi -keyalg RSA -keystore c:\Certificates\Boomi\KEYSTORENAME -keysize 2048
  7. Replace the KEYSTORENAME in this command and run the following command to generate the CSR:
    keytool -certreq -keyalg RSA -alias Boomi -file c:\Certificates\Boomi\KEYSTORENAME.csr -keystore c:\Certificates\Boomi\KEYSTORENAME
  8. Make a copy of the keystore (optional, but recommended).
  9. Submit the CSR to the Trusted Root Authority (for example, Verisign), and request/download the returned certificate in PKCS7 format. This will have a public, G3 intermediate, and G5 intermediate certificate all in one certificate. Java must be 1.7 or newer.
  10. Replace the certificate file path\name and keystore path\name in this command and run the following command to import the PKCS7 certificate:
    keytool -import -alias Boomi -trustcacerts -file c:\Certificates\Boomi\NEWCERTNAME.p7b -keystore c:\Certificates\Boomi\KEYSTORENAME
  11. Replace the new and destination keystore paths/names and passwords (if different from changeit) in this command and run the following command to convert to .p12 format for import into Boomi:
    keytool -importkeystore -srckeystore c:\Certificates\Boomi\KEYSTORE -destkeystore c:\Certificates\Boomi\KEYSTORENAME.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass changeit -srcalias Boomi -destalias Boomi -srckeypass changeit -destkeypass changeit -noprompt
  12. In AtomSphere, create a new Certificate as X.509 type. Import the new certificate and select the .p12 file created in step.
  13. Verify that the certificate that was imported is signed by the Trusted Root Authority (e.g. Verisign). Select the Certificate for use in the connections that require this SSL certificate that is signed by the trusted root authority.
3 people found this helpful