Documentation AEM AEM Tutorials AEM Foundation Tutorials

Use the SSL Wizard in AEM

Last update: March 23, 2025

Applies to:
Experience Manager 6.5
Experience Manager as a Cloud Service

CREATED FOR:

Beginner
Developer

Learn how to set up SSL in Adobe Experience Manager to make it run over HTTPS using the built-in SSL wizard.

NOTE

For managed environments, it is best for the IT department to provide CA-trusted certificates and keys.

Self-signed certificates are only to be used for development purposes.

Using SSL Configuration Wizard

Navigate to AEM Author > Tools > Security > SSL Configuration, and open the SSL Configuration Wizard.

SSL Configuration Wizard

Create store credentials

To create a Key Store associated with the ssl-service system user and a global Trust Store, use the Store Credentials wizard step.

Enter the password and confirm password for the Key Store associated with the ssl-service system user.
Enter the password and confirm password for the global Trust Store. Note it is a system-wide Trust Store and if it is already created, the entered password is ignored.

Upload private key and certificate

To upload the private key and SSL certificate, use the Key & Certificate wizard step.

Typically, your IT department provides the CA-trusted certificate and key, however self-signed certificate can be used for development and testing purposes.

To create or download the self-signed certificate, see the Self-Signed private key and certificate.

Upload the Private Key in the DER (Distinguished Encoding Rules) format. Unlike PEM, DER-encoded files do not contain plain text statements such as -----BEGIN CERTIFICATE-----
Upload the associated SSL Certificate in the .crt format.

Update SSL connector details

To update the hostname and port use the SSL Connector wizard step.

Update or verify the HTTPS Hostname value, it should match the Common Name (CN) from the certificate.
Update or verify the HTTPS Port value.

Verify the SSL setup

To verify the SSL, click the Go to HTTPS URL button.
If using self-signed certificate, you see Your connection is not private error.

Self-Signed private key and certificate

The following zip contains DER and CRT files required for setting up AEM SSL locally and intended for local development purposes only.

The DER and CERT files are provided for convenience and generated using the steps outlined in the Generate Private Key and Self-Signed Certificate section below.

If needed, the certificate pass phrase is admin.

This localhost - private key and self-signed certificate.zip (expires July 2028)

Download the Certificate file

Private key and self-signed certificate generation

The above video depicts the setup and configuration of SSL on an AEM author instance using self-signed certificates. The below commands using OpenSSL can generate a private key and certificate to be used in Step 2 of the wizard.

### Create Private Key
$ openssl genrsa -aes256 -out localhostprivate.key 4096

### Generate Certificate Signing Request using private key
$ openssl req -sha256 -new -key localhostprivate.key -out localhost.csr -subj '/CN=localhost'

### Generate the SSL certificate and sign with the private key, will expire one year from now
$ openssl x509 -req -extfile <(printf "subjectAltName=DNS:localhost") -days 365 -in localhost.csr -signkey localhostprivate.key -out localhost.crt

### Convert Private Key to DER format - SSL wizard requires key to be in DER format
$ openssl pkcs8 -topk8 -inform PEM -outform DER -in localhostprivate.key -out localhostprivate.der -nocrypt

recommendation-more-help