Replacing the autogenerated SSL certificate

By default,

BEMS

is remotely accessible using HTTPS only. During installation, a

BEMS

Java

keystore called bems.pfx is created and located in

<drive>\Program Files\BlackBerry\BlackBerry Enterprise Mobility Server\Good Server Distribution\gems-quickstart-<version>\etc\keystores\

. If you previously replaced the self-signed certificate, then your existing certificate and certificate password are retained. You can replace the previously self-signed certificate using a SAN certificate or a Wildcard server certificate and assign the certificate to be used by all nodes in a cluster. When you replace the previously self-signed certificate with a SAN or Wildcard server certificate, makes sure that the certificate is trusted by all

BlackBerry Dynamics

apps that communicate with

BEMS

on port 8443.

For instructions, see Assign the BEMS SSL certificate to users.

When you replace the auto-generated SSL certificate, you perform one of the following actions based on your organization's needs:

Environment	Action
One BEMS instance	Upload and replace the auto-generated SSL certificate with a SAN or Wildcard certificate and assign the certificate for use by all nodes in the cluster.
Multiple BEMS instances that share a cluster certificate.	Upload and replace the auto-generated SSL certificate with a SAN or Wildcard certificate and assign the certificate for use by all nodes in the cluster.
Multiple BEMS instances and each instance requires an independent certificate that is issued by a certificate authority.	Upload and replace the auto-generated SSL certificate with a self-signed certificate for a single node.

Section:

Importing and configuring certificates

Steps to replace the autogenerated SSL certificate with a SAN or wildcard certificate for use by all nodes in a cluster

Steps to replace the autogenerated SSL certificate for one BEMS node

Jetty.xml file reference