Using custom CA signed certificates

From BMC Helix IT Operations Management 21.3.03 onwards, you can use self-signed or custom CA certificates while deploying BMC Helix Operations Management. 


BMC Helix Continuous Optimization supports self-signed or custom CA certificates for version 22.2.01 or later.

Related topics

Configuration file settings

Adding a self-signed or custom CA certificate in BMC Helix Discovery Open link

To use certificates, you must perform the following steps:

  1. Generate a custom CA certificate.
  2. Add the certificate to the trust store.

To generate a custom CA certificate

  1. Log in to the host where you are running the installer.
  2. Create a folder; for example, custom_cert.
  3. Navigate to the folder you created and create a conf file with all the details; for example, custom_cert.cnf
    Make sure that you add the correct DNS names according to your cluster configurations.
    The DNS name present in Common Name (CN) must be included in the Subject Alternative Name (SAN) list. If you are using a wildcard name as CN, the wildcard name must also be present in the SAN list.
    The following image shows a custom_cert.cnf file:

    Example DNS entries






  4. Run the following command to generate the CSR by using the conf file that you created:

    ]$ openssl req -out <csr_filename>.csr -newkey rsa:2048 -nodes -keyout <private_key_filename>.key -config custom_cert.cnf -days 700

    The following files are generated:

    • A .csr file, for example ade.csr

    • A .key file, for example ade_private.key
  5. Get the .csr file signed by your Certificate Authority (CA) to generate the custom CA certificate. 

To add the certificate to the trust store

  1. Copy the self-signed or custom CA certificate (full chain) in the commons/certs/ directory.
    Ensure that the file name of the certificate is custom_cacert.pem (full chain certificate).
  2. Ensure that your local CA certificate chain (full chain) is present in the trust store.

(Only BMC Helix Capacity Optimization) To install the Remote ETL Engine with a self-signed certificate

  1. Copy the on-premises installer certificate file (custom_cacert.pem or where you have extracted the Remote ETL Engine installer in the BCO/Disk1 folder. This should be the same folder where the file is available. 
    For details about how to get the custom_cacert.pem or file, see Deploying and configuring the ingress controller for OpenShift or Kubernetes.
  2. Run the file.

The setup file converts the certificate file and introduces such certificates among the one trusted by the Remote ETL Engine jre.

For details about how to install the Remote ETL Engine, see  Installing remote components to collect on-premises data Open link .

Was this page helpful? Yes No Submitting... Thank you