Importing a certificate from a certification authority

A certificate is more likely to be trusted by others if it is signed by a certification authority (CA) than if it is not. Obtaining and importing a certificate from a CA require that you complete the following steps:

  1. Generate a certificate signing request (CSR).
  2. Import the certificate from the CA.
  3. If the CA returns a chain of certificates, replace the self-signed certificate with the certificate chain.

You must replace your self-signed certificate with a certificate chain in which each certificate in the chain authenticates the public key of the signer of the previous certificate in the chain, up to a root CA.


BMC Atrium Orchestrator and Atrium Single Sign-On is SHA-2 compliant.

Before you import the certificate reply from a CA, you need one or more trusted certificates in your keystore or in the cacerts keystore file:

  • If the certificate reply is a certificate chain, you need only the top certificate of the chain, which is the root CA certificate authenticating the CA's public key.
  • If the certificate reply is a single certificate, you need a certificate for the issuing CA (the one that signed the certificate). If that certificate is not self-signed, you must obtain a certificate for its signer up to a self-signed CA certificate.


Because the cacerts keystore file ships with five VeriSign root CA certificates, you might not need to import a VeriSign certificate as a trusted certificate in your keystore. However, if you request a signed certificate from a different CA, and a certificate authenticating that CA's public key has not been added to the cacerts file, you must import a certificate from the CA as a trusted certificate.

A certificate from a CA is usually either self-signed or signed by another CA (in which case you also need a certificate authenticating that CA's public key). For example, the Calbro Services company is a CA, and you obtain a file named Calbro.cer that is a self-signed certificate from Calbro Services, authenticating that CA's public key.


Ensure the certificate is valid prior to importing it as a trusted certificate. View it first using the keytool -printcert command or the keytool -importcert command without the -noprompt option, and verify that the displayed certificate fingerprints match the expected ones. The certificate has not been compromised in transit only if the fingerprints are exact matches.

After you import a certificate authenticating the public key of the CA to which you submitted your certificate signing request, or after there is a certificate in the cacerts file, you can import the certificate reply and replace your self-signed certificate with a certificate chain:

  • If the CA reply was a chain, this chain is the one returned by the CA in response to your request.
  • If the CA reply was a single certificate, this chain is the certificate chain constructed using the certificate reply and the trusted certificates that are available in the keystore where you import the reply or in the cacerts keystore file.

To generate a CSR

To generate a CSR, follow the instructions provided by the CA you are using. The process varies depending on the CA.

The CA authenticates the requestor and returns a signed certificate, authenticating your public key.


In some cases, the CA might return a chain of certificates, each one authenticating the public key of the signer of the previous certificate in the chain.

To import the certificate from the CA

From a command prompt, type the following command:
keytool -importcert -alias aliasName -file fileName.cer

For example:
keytool -importcert -alias bao -file BMCAtriumOrchestrator.cer

This command creates a trusted certificate entry in the keystore using the data from the file BMCAtriumOrchestrator.cer, and assigns the alias bao to the entry.

To replace a self-signed certificate with a certificate chain

From a command prompt, type the following command:
keytool -importcert -trustcacerts -file fileName.cer

For example:
keytool -importcert -trustcacerts -file VSCalbro.cer

Suppose you sent your certificate signing request to VeriSign. You can use this command to import the reply, which assumes the returned certificate is named VSCalbro.cer.

Was this page helpful? Yes No Submitting... Thank you


  1. Martin Penev



    Is there a more detailed procedure for replacing OOTB self-signed sertificates with CA certificates? The things described in this page are very insufficient. Changing the BAO certificates is most likely not so easy because you need to change the certificates for SSO, CDP, REPO, etc. In addition to importing new certificates in the keystores of all these applications, I guess that certificates should be imported in a lot of truststores so that these apps can comunicate with each other. So could you please provide a more detailed procedure for all these operations?


    Best Regards,


    Dec 12, 2015 05:14
    1. Dorothy Poole

      Hi Martin,

      Thank you for your comment and your request for more information. I've requested more information from the team and created Defect 1380 to track this request. As soon as I get more details, I will update the page with the information.

      Dec 14, 2015 06:57
  2. Javier Prieto sabugo


    I totally agree with Martin. I would also like to have this better documented

    (could also add Develper Studio to the list of places where the certificates have to be added)

    Apr 22, 2016 07:50
    1. Dorothy Poole

      Hi Javier,

      Thank you for your feedback. I've updated defect DRAUM-1380 to add your request to include Dev. Studio and to let the team know that we are getting more requests for changes on this page. I will follow up with the team and update this page when I have more details.

      Apr 22, 2016 08:02