I would first like to start off saying that if you are not familiar with Linux, this one can be a bit of a pain the first time around. I eventually had to contact Juniper support to get the details on this and even they had a little trouble.

1) You will need to have to either SSH into the appliance or have console access. The preferred method would be to use SSH because the VMware console of the machine limits how much of previous commands you can see. Login to the appliance and type “advanced”.

2) Create a Key store and Private Key. This will be done using a Linux utility called “keytool”. You will be asked to provide passwords; Juniper suggests always using “altoraltor”

$JAVA_HOME/bin/keytool -genkey -alias “Name of Alias” -keyalg “Algorithm Type” -keysize “Size of Key” -keystore “Name of Key store”.jks

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore test.jks

3) Generate a CSR

/usr/lib/jvm/sun-java-6u11/jre/bin/keytool -certreq -keyalg “Algorithm Type” -alias “Name of Alias” -keysize “Size of key”-file “Name of CSR”.csr -keystore “Name of Key store”.jks


/usr/lib/jvm/sun-java-6u11/jre/bin/keytool -certreq -keyalg RSA -alias tomcat -keysize 2048 -file test.csr -keystore test.jks

4) Retrieve a certificate from your Certificate of Authority. Make sure to download the chain. With a Microsoft CA this ends up being a .PB7 file.

6) If you end up with a Microsoft Chain in PB7 format, right click the file and open with “Crypto Shell Extensions”. From here you should be able to right click the CA/Sub-CA Certs and export them.

5) Use WinSCP or FastSCP to copy the certificate and CA/Sub-CA Certs to the same location as the key store file.

6) Install the SSL Certs into the key store

/usr/bin/jvm/sun-java-6u11/jre/bin/keytool -import -alias “Name of Alias” -keystore “Name of keystore”.jks -file “certificate name”.cer

**Keep in mind that you must install the CA/Sub-CA certs before you can install the SSL Cert for the device, or you will get errors about the chain**


/usr/bin/jvm/sun-java-6u11/jre/bin/keytool -import -alias tomcat -keystore test.jks -file CA.cer

/usr/bin/jvm/sun-java-6u11/jre/bin/keytool -import -alias tomcat -keystore test.jks -file Sub-CA.cer

/usr/bin/jvm/sun-java-6u11/jre/bin/keytool -import -alias tomcat -keystore test.jks -file test.cer

7) Gain sudo access

sudo su

8 ) Transfer the key store file (jks) to /var/lib/altor/cert

scp /usr/bin/jvm/sun-java-6u11/jre/bin/”Name of Keystore”.jks /var/lib/altor/cert/”Name of Keystore”.jks


scp /usr/bin/jvm/sun-java-6u11/jre/bin/test.jks /var/lib/altor/cert/test.jks

9) Delete the public_keystore file

rm public_keystore

10) Copy Key store (jks) you created to public_keystore

cp “Name of Key store”.jks public_keystore


cp test.jks public_keystore

11) Change ownership and permissions on public_keystore

chown tomcat public_keystore

chgrp tomcat public_keystore

12) Restart the Tomcat Service

god restart tomcat