Netscaler Adapter 2.2.
CSG_AAOP-Cert expired as a result users unable to authenticate.
Cert expired as a result users unable to authenticate on the tomcat server.
Steps to build a certificate for Tomcat.
Need to use "keytool". This is to be found in the Java/bin or Java/jre/bin
1. Generate the keys (the file name can be certificate.jks):
keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore <your_keystore_filename>>>You must enter the full domain name, i.e., external-site.mycompany.com, in response to enter "first- and last name". State name cannot be abbreviated.
2. Create the CSR to request file
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore <your_keystore_filename>
3. Use the CSR file to request certificate. in this step you need to click on the .csr and copy and paste the entire
txt to the notepad and submit it back to issuer for example if is godaddy.com and then the certs will be emailed to your Admin. Once you get the certificates back then you need to move to step 4 and import root and interm.
For example you will copy and paste this to then notepad and then copy this to the certificate issuer.
-----BEGIN NEW CERTIFICATE REQUEST-----
MIICsTCCAZkCAQAwbDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEDAOBgNV
BAcTB0JlZGZvcmQxDDAKBgNVBAoTA2F0czEQMA4GA1UECxMHc3VwcG9ydDETMBEGA1UEAxMKbnMu
cnNhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAICId+IaK8CsRpkmwBbHfkHR
sNqsKMtdag3vXyMsuEeDUftnf2cgzfacs95Rn+hiXepwcUMGi5wYm4unCk6Y3UItb8N4DCpT2JAp
sN//nVxm3qrzlsi9ZD98nz96b/fLIn1sThvDdcwcoilNZlELuqKbLbbTnKSA2cVM4ZiDOpDFLURG
mltELZmIr4gi6lL5tUFS3DauJCBRJqjeWKZlDV4tzm81Rkcr75iPWMuzSLFKyIw4PYxlEg50+xrf
AN9RDzqIZ1I52gQg56gbG1Jc3iZwyzqaQip3bxN+1aJJ9DwweBeXeTCQKcnbVqEwcvrFv9RQ0iK7
4ci02L3w7iKK3R8CAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQBPW7xfmN5VSuwR4J4rkJwkdnJ8
LPmvkFpox8dx5dXP+pwB4n0OXiD4jU3Sf0VKFKoDjR3mPD6Z4aEW8wluvfCBPugkrzIYvf7r9/Rr
q5rNaeMh/PJy8vk0nj2FHYJnQ27S5ZFm5x1rxVuwhSik1y3NO+5ZgZwqgxTw25iInb9Hm3IE1Lgs
ERSQEQGH+7zmewOI4EG7iz25pscvrfCPSrGOcdHUxkLPWMsZPOm0lqrGcQJYeHJX4rqEwTDkX56V
B5x+XbeFuyOyeLwQNM6pOT4apRAQxFAcUlBfRjh8VK93sUo61mSS9ObWqNmb7mw3G/AcrsiBUU2K
llfvTYm+9TDi
-----END NEW CERTIFICATE REQUEST-----
4. Import any chain certificate if any
keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file
<filename_of_the_chain_certificate>
5. finally import your new Certificate
keytool -import -alias tomcat -keystore <your_keystore_filename> -file <your_certificate_filename>
CN=commonName
OU=organizationUnit
O=organizationName
L=localityName
S=stateName
C=country
For trouble shooting SSL if you are not progressing with new certificate.
Adapter usually have certificates configured in the conf/server.xml file if they are deployed on Tomcat.
The path to certificate is configurable in the server.xml.
For SSL debugging.
This is great command which needs to be added to the JVM arguments.
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/ReadDebug.html
-Djavax.net.debug=all
Or
-Djavax.net.debug=ssl
All the ssl handshake will be in logs/catalinat.out or logs/localhost
For websphere will be SystemOut.log.
Related Articles
Edit an Identity Source SSL Certificate Number of Views Add an Identity Source SSL Certificate Number of Views Identity Source SSL Certificates Number of Views FIM Weblogic throws exception with new SSL cert - java.io.IOException: Cannot convert identity certificate Number of Views Monday.com - SAML Relying Party Configuration - RSA Ready Implementation Guide Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
