Submit a ticketCall us

WebinarVisual Monitoring Tactics: Getting More Log Search Value from SolarWinds Log & Event Manager with nDepth Webcast

Do things seem to make more sense when they are visualized? Are you an IT professional or security expert with a wish for more cybersecurity tools that provide an intuitive visual experience? Join Alexis Horn and Jamie Hynds from SolarWinds as they demonstrate how the nDepth feature in LEM can help make visualizing log search results a reality.

Register now.

Home > Success Center > Database Performance Analyzer (DPA) > DPA - Knowledgebase Articles > Configure DPA to use a custom certificate for SSL/TLS using keytool

Configure DPA to use a custom certificate for SSL/TLS using keytool

Updated February 8, 2017


By default, DPA 9.2 and later automatically generates a self-signed certificate that is used to establish secure communication over HTTPS. This article describes how to replace the self-signed certificate with a custom certificate using keytool, a Java application.

SolarWinds allows you to configure custom certificates. However, SolarWinds Support does not provide configuration assistance. If you need assistance, please contact the vendor who provided your certificate.

Before you begin, you must contact your administrator to determine the certificates required for your environment.


  • DPA 9.2 and later


If you have a Java KeyStore (JKS) file from your administrator, you can rename it to .keystore and skip to step 2. SolarWinds recommends renaming the alias for the server certificate in the keystore file by running the following commands:

Description Command
List all certificates stored in keystore file keytool -list -v -keystore <YOUR_KEYSTORE_FILE>

Identify certificate for your DPA server and use its alias name as <OLD_ALIAS_NAME>

Rename certificate alias <OLD_ALIAS_NAME> to tomcat

keytool -changealias -alias "<OLD_ALIAS_NAME>" -destalias "tomcat" -keypass <CERTIFICATE_KEY_PASSWORD> -keystore <YOUR_KEYSTORE_FILE> -storepass <KEYSTORE_PASSWORD>

Default passwords are changeit.

If you do not have a JKS file from your administrator, follow these steps:

  1. Create a keystore containing the newly generated private/public key pair.
    keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore .keystore -storepass <KEYSTORE_PASSWORD> -keypass <CERTIFICATE_KEY_PASSWORD> -dname "CN=<HOST_NAME>,O=<ORGANISATION>,L=<LOCATION>,ST=<STATE>,C=<COUNTRY>"
    • You can choose the specific domain name ( or use a wildcard character (*
    • Default passwords are changeit.


  2. Generate a certificate-signing request.
    keytool -certreq -keyalg RSA -alias tomcat -keystore .keystore -file <DPA_CERT_REQUEST_FILE> -storepass <KEYSTORE_PASSWORD>
  3. Ask your certificate authority (CA) to sign your request file, <DPA_CERT_REQUEST_FILE>. You should then recieve the file containing a signed certificate from your CA.
  4. Get the files with the trusted certificate chain from your CA.
    • Ensure that every certificate of the chain is in separate file. A file containing more certificates is not supported.
    • Start from the root CA certificate and progress down the chain. Typically this means importing the root CA certificate and one or more intermediate certificates.
  5. Import certificates from the trusted chain into your keystore.
    keytool -import -alias <ALIAS> -keystore .keystore -trustcacerts -storepass <KEYSTORE_PASSWORD> -file <CERTIFICATE_CHAIN_FILE> 

    If you receive the following error message, ask your CA where to get these file.

    keytool error: java.lang.Exception: Input not an X.509 certificate => chain certificate has to be in separate files

  6. Import the signed certificate from your CA to your keystore.
    keytool -import -alias tomcat -keystore .keystore -storepass <KEYSTORE_PASSWORD> -file <DPA_SIGNED_CERT_FILE>
  7. Place the .keystore file into the <DPA-dir>/iwc/tomcat/conf/ directory.
  8. If you did not use the default password (changeit), edit the server.xml file and add these attributes to the tomcat connector:
  9. Restart the DPA server.


If your browser warns about an insecure connection, show the certificate information in your browser.


The requested host name does not match the certificate of the server.

Ensure that the certificate CommonName contains host name of the DPA server.


The keystore used for import must be the one that was used to generate the CSR.

Use the same keystore file (.keystore) in all steps.

Last modified