Use the SSL Wizard in AEM
Learn how to set up SSL in ÃÛ¶¹ÊÓƵ Experience Manager to make it run over HTTPS using the built-in SSL wizard.
Using SSL Configuration Wizard
Navigate to AEM Author > Tools > Security > SSL Configuration, and open the SSL Configuration Wizard.
Create store credentials
To create a Key Store associated with the ssl-service
system user and a global Trust Store, use the Store Credentials wizard step.
-
Enter the password and confirm password for the Key Store associated with the
ssl-service
system user. -
Enter the password and confirm password for the global Trust Store. Note it is a system-wide Trust Store and if it is already created, the entered password is ignored.
Upload private key and certificate
To upload the private key and SSL certificate, use the Key & Certificate wizard step.
Typically, your IT department provides the CA-trusted certificate and key, however self-signed certificate can be used for development and testing purposes.
To create or download the self-signed certificate, see the Self-Signed private key and certificate.
-
Upload the Private Key in the DER (Distinguished Encoding Rules) format. Unlike PEM, DER-encoded files do not contain plain text statements such as
-----BEGIN CERTIFICATE-----
-
Upload the associated SSL Certificate in the
.crt
format.
Update SSL connector details
To update the hostname and port use the SSL Connector wizard step.
-
Update or verify the HTTPS Hostname value, it should match the
Common Name (CN)
from the certificate. -
Update or verify the HTTPS Port value.
Verify the SSL setup
-
To verify the SSL, click the Go to HTTPS URL button.
-
If using self-signed certificate, you see
Your connection is not private
error.
Self-Signed private key and certificate
The following zip contains DER and CRT files required for setting up AEM SSL locally and intended for local development purposes only.
The DER and CERT files are provided for convenience and generated using the steps outlined in the Generate Private Key and Self-Signed Certificate section below.
If needed, the certificate pass phrase is admin.
This localhost - private key and self-signed certificate.zip (expires July 2028)
Private key and self-signed certificate generation
The above video depicts the setup and configuration of SSL on an AEM author instance using self-signed certificates. The below commands using can generate a private key and certificate to be used in Step 2 of the wizard.
### Create Private Key
$ openssl genrsa -aes256 -out localhostprivate.key 4096
### Generate Certificate Signing Request using private key
$ openssl req -sha256 -new -key localhostprivate.key -out localhost.csr -subj '/CN=localhost'
### Generate the SSL certificate and sign with the private key, will expire one year from now
$ openssl x509 -req -extfile <(printf "subjectAltName=DNS:localhost") -days 365 -in localhost.csr -signkey localhostprivate.key -out localhost.crt
### Convert Private Key to DER format - SSL wizard requires key to be in DER format
$ openssl pkcs8 -topk8 -inform PEM -outform DER -in localhostprivate.key -out localhostprivate.der -nocrypt