Submit a ticketCall us
Home > Success Center > Web Help Desk (WHD) > How to create a self signed certificate in Linux

How to create a self signed certificate in Linux

Table of contents

Updated March 8, 2018


This guide will help you create a self-signed certificate for the Linux OS for use with Web Help Desk.


  • All Linux versions
  • Web Help Desk, all versions


  1. SSH to the machine as a user with sudo access.
  2. Change the directory to the WHD home folder:
    cd /usr/local/webhelpdesk/conf
  3. Edit the file /usr/local/webhelpdesk/conf/whd.conf:
    1. Uncomment the line for HTTPS_PORT=443.
    2. Look for KEYSTORE_PASSWORD= and take note of the password.
  4. Back up the keystore, and then delete the alias "tomcat" from the keystore:
    sudo ../bin/jre/bin/keytool -delete -alias tomcat -keystore keystore.jks -storepass [the password from step 3]
  5. Generate a new key with alias "tomcat":
    1. Enter the following SHA2 Signature Algorithm:
      sudo ../bin/jre/bin/keytool -genkey -alias tomcat -keystore keystore.jks -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity <val_days> -storepass [the password from step 3]
      where <val_days> = days that the key is valid (for example, 360 for 1 year and 720 for 2 years)
    2. Enter a CN that matches the site used in the certificate For example, if Web Help Desk is hosted at, your CN must be
    3. Enter an Organization Unit (OU) that helps distinguish this certificate from others for your organization. 
    4. Enter an Organization Name (O), typically name for your organization. 
    5. Enter a Locality Name (L). This is typically a city name.
    6. Enter a State Name (ST). This should be the unabbreviated city and state/province/region/territory of your organization.
    7. Enter a Country (C). This should be the two letter ISO 3166 country code for your country. 
    8. Email (E) is generally optional, but may be used by your CA as the address to which the certificate will be mailed.
  6. Generate a CSR file or Certificate Signing Request file:
    sudo ../bin/jre/bin/keytool -certreq -alias tomcat -keystore keystore.jks -file <[filename].csr> -storepass [the password from step 3]
  7. Grab a copy of that .csr file and send it to your root CA to request for a signed certificate.
  8. After you have downloaded the signed certificate and root certificates, you can then import them as follows:
    1. Copy the files to the VA using an SFTP client (like FileZilla or WinSCP) and take note of the location.
    2. Import the Root and intermediate CA certificates (repeat the same step below for every certificate and change the alias to a different name):
      sudo ../bin/jre/bin/keytool -import -trustcacerts -alias root -file </path/to/Root CA file> -keystore keystore.jks -<storepass>
      where <storepass> is the password from step 3
    3. Import the singed primary CA for WHD (tomcat):
      sudo ../bin/jre/bin/keytool -import -trustcacerts -alias tomcat -file </path/to/your.whd.authenticated cert> -keystore keystore.jks -storepass [the password from step 3]

You may also refer to the PDF file below for the graphical version of the process (just for your reference) but this will require a separate download of the OpenSource tool - Portecle:


CSR Linux, CSR, self-signed linux, self-signed

Last modified