Space banner


This documentation supports an earlier version of BMC Helix IT Operations Management on-premises deployment.

To view the documentation for the latest version, select 22.4 from the Product version picker.

Using self-signed or custom CA certificates

From BMC Helix IT Operations Management 21.3.03 onwards, you can use self-signed or custom CA certificates while deploying BMC Helix Operations Management. You can use your own CA-signed or your company's CA-signed certificates.


BMC Helix Continuous Optimization supports self-signed or custom CA certificates for version 22.2.01 or later.

Configuration file settings

Adding a self-signed or custom CA certificate in BMC Helix Discovery Open link

To use certificates, you must perform the following steps:

  1. Generate a custom CA certificate.
  2. Add the certificate in the trust store.

To generate a custom CA certificate

  1. Log in to the host where you are running the installer.
  2. Create a folder, for example custom_cert.
  3. Navigate to the folder that you created and create a conf file that has all the details, for example custom_cert.cnf
    Ensure that you add the correct DNS names according to your cluster configurations. The following image displays the custom_cert.cnf conf file:

    Example DNS entries







  4. Run the following command to generate the CSR by using the conf file that you created:

    ]$ openssl req -out <csr_filename>.csr -newkey rsa:2048 -nodes -keyout <private_key_filename>.key -config custom_cert.cnf -days 700

    The following files are generated:

    • A .csr file, for example ade.csr

    • A .key file, for example ade_private.key

To add the certificate to the trust store

  1. Copy the self-signed or custom CA certificate (full chain) in the commons/certs/ directory.
    Ensure that the file name of the certificate is custom_cacert.pem (full chain certificate).
  2. Ensure that your local CA certificate chain (full chain) is present in the trust store.

(Only BMC Helix Capacity Optimization) To install the Remote ETL Engine with a self-signed certificate

  1. Copy the on-premises installer certificate file (custom_cacert.pem or where you have extracted the Remote ETL Engine installer in the BCO/Disk1 folder. This should be the same folder where the file is available. 
    For details about how to get the custom_cacert.pem or file, see Deploying the ingress controller for OpenShift or Kubernetes.
  2. Run the file.

The setup file converts the certificate file and introduces such certificates among the one trusted by the Remote ETL Engine jre.

For details about how to install the Remote ETL Engine, see  Installing remote components to collect on-premises data Open link .

Was this page helpful? Yes No Submitting... Thank you


  1. Dima Seliverstov

    BMC Helix Continuous Optimization requires the following changes to be made with installing the Remote ETL.

    Installation of a REE with self signed certificate • Take on-prem installer certificate file (custom_cacert.pem or • Copy it where you have unpacked REE installer into folder BCO/Disk1 (same folder where file exists) • Then just run file

    Setup file will convert certificate file and will introduce such certificates among the one trusted by the REE jre. For details of the installation of Remote ETL please see Installing remote components to collect on-premises data - Documentation for BMC Helix Continuous Optimization 22.1 - BMC Documentation”

    Oct 31, 2022 06:52
    1. Mukta Kirloskar
      Feb 24, 2023 05:33