Out of support


This documentation supports the 8.1 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.

Click here to view the documentation for a supported version of Remedy Single Sign-On.

Generating CSRs

To obtain a signed certificate from the Certificate Authority (CA) for BMC Atrium Single Sign-On, you must generate a certificate signing request (CSR).

To generate a CSR in Microsoft Windows

  1. On the command line, change your working directory to
    <installationDirectory>\BMC Software\AtriumSSO\tomcat\conf
  2. Modify the environment to use the Java Development Kit (JDK) that is installed with BMC Atrium Single Sign-On:
    set PATH=<installationDirectory>\jdk\bin;%PATH%
  3. Run the following keytool command:

    keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore.p12 -storepass internal4bmc -storetype PKCS12  -providername JsafeJCE

To generate a CSR in UNIX

  1. On the command line, change your working directory to
    <installationDirectory>/BMC Software/AtriumSSO/tomcat/conf
  2. Modify the environment to use the JDK installed with BMC Atrium Single Sign-On:
    PATH=<installationDirectory>/jdk/bin:$PATH;export PATH
  3. Run the following keytool command:

    keytool -certreq -alias tomcat -keyalg RSA -file certreq.csr -keystore keystore.p12 -storepass internal4bmc -storetype PKCS12 -providername JsafeJCE


For both Windows and UNIX, the supplied default password for the BMC Atrium Single Sign-On Tomcat server is internal4bmc. You will need to provide another password if the keystore is replaced with a locally generated file.  

Example of a CSR

The keytool command generates and saves the CSR in the certreq.csr file. The certreq.csr file is an example file and has the following content:


You must send the toolkit command output to a CA for a digital signature.


The Common Name (CN) of the certificate cannot be modified, because the CN must match the host name of the server. If the names do not match, the browser issues a warning that the server is trying to impersonate another site.

Importing the signed certificate

After a CSR is signed by a CA, follow the instructions for Importing a certificate into cacerts.p12. Before you import the signed certificate, import the signing root CA and any intermediate signing certificates into the truststore. For information about importing intermediate certificates, see Getting intermediate CA certificates.

Where to go from here

Generating and importing CA certificates

Was this page helpful? Yes No Submitting... Thank you


  1. Anil Premlall

    If you use the -file option you can output to a file rather than copy pasting from a command prompt screen.

    May 09, 2013 01:08
  2. Anil Premlall

    Has anyone had any success with using the command?

    May 09, 2013 04:09
  3. Abhay Chokshi

    Hi Anil,

    I have verified the command and it had to be modified to add the -storepass parameter for windows. Now it works well. 

    Also, this command saves the CSR to a file and does not display on the screen.


    - Abhay

    Jan 09, 2014 07:04