Use custom SSL certificate for https

This document describes how to configure PhenixID Server to use a custom SSL certificate for https.

System requirements

  • The SSL certificate to be used stored as a keystore file (.p12) and the keystore password

Upload the certificate to the server

1. Follow this guide to upload the certificate as a PhenixID keystore.

2. Note the ID of this keystore as this will be referred later in this instruction

Protect Configuration Manager with the uploaded certificate

The HTTP Connections are used as configuration for HTTP from referenced modules. Use the Advanced tab and locate the HTTP connections.

Create a HTTP Connection to be used by Configuration Manager

The HTTP Connection object to be used should be configured similarly this:

[ {
    "id" : "https",
    "port" : "443",
    "ssl" : "true",
    "sslKeyStore" : "9ca66f36-efe0-472d-99fd-da8e27b470c0"
  } ]

Explanation of parameters:

  • id: The configuration will be referenced by it's id, in this case "https".
  • port: The port to be used by this configuration.
  • ssl: If SSL should be enabled or not.
  • sslKeyStore: a reference to the SSL keystore configured in previous step

 Example configuration:

Enable the configured http connection for "Configuration Manager"

Please make a copy of boot.json as this file has to be modified to use the newly configured http configuration.

  • Remove all "ssl" parameters e.g. "ssl":"true"
  • Remove all "port" parameters e.g.  "port":"8443"
  • Add the previously configured http configuration to phenixidentity~phenix-prism and phenixidentity~auth-http modules by adding "httpConfig":"<ID_OF_HTTPConnection>"

An example of a configuration is found below:

            "name": "com.phenixidentity~phenix-prism",
            "enabled": "true",
            "config": {
                "_auth_redirect_url": "/config/authenticate/config",
                "base_url": "/config",
                "httpConfig" : "https",
                "enable_module_deployment": "true",
                "enable_roles": "true",
                "enable_language": "false",
                "display_name": "Configuration Manager",
                "prism_modules": [
                        "name": "com.phenixidentity~phenix-prism-start",
                        "config": {
                            "display_name": "Start",
                            "base_uri": "start",
                            "requires_role": "sysadmin"
                        "name": "com.phenixidentity~phenix-prism-report",
                        "enabled": "true",
                        "config": {
                            "display_name": "Reports",
                            "base_uri": "report",
                            "requires_role": "sysadmin"
                        "name": "com.phenixidentity~phenix-prism-guides",
                        "config": {
                            "display_name": "Scenarios",
                            "base_uri": "scenarios",
                            "requires_role": "sysadmin"
                        "name": "com.phenixidentity~phenix-prism-config",
                        "enabled": "true",
                        "config": {
                            "display_name": "Advanced",
                            "base_uri": "configuration",
                            "requires_role": "sysadmin"
            "name": "com.phenixidentity~auth-http",
            "enabled": "true",
            "config": {
                "httpConfig" : "https",
                "root_uri": "/config"

Restart the server

  • Save all modified files.
  • Restart the PhenixID Server in order to read the updates from boot.json.

Protect Selfservice with the uploaded certificate

Enable custom listener for Self Service

1. Edit the scenario and go to the Advanced tab for Self Service

2. Enable "Use custom listener"

3. Set a temporary http/https port such as 62444

4. Enable "Use SSL/TLS"

5. Click save


Locate the HTTP connection object

6. Open the ADVANCED tab

7. Locate the HTTP connection object with the temporary port

8. Click the HTTP connections "pen icon" to edit the object.

Configure the HTTP connection object

9. Replace the temporary port with the one to use (443)

10. Add parameter "sslKeyStore" : "<ID of the keystore previously noted>",

11. Click Stage changes

12. Click Commit changes

13. Click Commit

Protect OTP Admin with the uploaded certificate

Follow the instructions from "Protect Selfservice with the uploaded certificate", but start with the MFA Admin scenario instead of Self Service.

Protect One Touch with the uploaded certificate

Follow the instructions from "Protect Selfservice with the uploaded certificate", but start with the One Touch scenario instead of Self Service.

Verify SSL certificate

  1. Open a web browser
  2. Browse to PhenixID server
  3. Verify https certificate