Install a New Server Certificate: PKCS#12 File

Use this procedure to replace the default Transfer Server or Gateway Administrator server certificate with a CA-signed certificate contained within a PKCS#12 file.

Before you begin

Obtain a PKCS#12 file (*.p12 or *.pfx) that includes your private key and a certificate signed by a Certificate Authority (CA).


  • Both the private key in the keystore and the keystore itself must use FIPS-compliant cryptography. You should request a FIPS-compliant key from your Certificate Authority. PBE-SHA1-3DES is the only approved algorithm currently available for encrypting the store. (By default, OpenSSL and the Windows Certificate Manager do not encrypt the store using this algorithm.) If you have a PKCS#12 file that has a FIPS-compliant private key, but the store encryption is not FIPS-compliant, you can re-encrypt the PKCS#12 file or import the file into a Java keystore.
  • The PKCS#12 store and the private key must be protected with the same password.

To replace the default server certificate with a certificate in a PKCS#12 file (*.p12 or *.pfx)

  1. Move the PKCS#12 file to the folder that holds the default FileXpress keystore (or to any secure location on your server). The default keystore locations are:

    <install path>\TransferServer\etc\

    <install path>\GatewayAdministrator\etc\

    Caution: Do not delete any of the existing certificates or keystore files in these locations. The server certificates located here are required for communication between FileXpress Gateway components.

  2. Locate the file in the location below for the server you are updating.

    <install path>\TransferServer\conf\

    <install path>\GatewayAdministrator\conf\

  3. Open in a text editor (running as an administrator). Remove the comment character (#) from the following lines. Set servletengine.ssl.keystoretype to PKCS12 and edit servletengine.ssl.keystore and servletengine.ssl.keystorepassword to use your values. For example:




    Note: The path to the keystore must be specified using either forward slashes or escaped backslashes. For example: C:/pathto/keystore or C:\\pathto\\keystore

  4. Restart the server you are configuring. See Start and Stop the FileXpress Transfer Server and Start and Stop the FileXpress Gateway Administrator Service.
  5. If you replaced the Gateway Administrator certificate, you must repeat the Activate and verify action on the FileXpress Secure Shell Proxy. This reestablishes the connection to the Gateway Administrator using the new certificate.
  6. Confirm that you can log on to the Transfer Client or Gateway Administrator.

    If you can't log in, or if you continue to see a certificate warning message, see Troubleshooting Server Certificate Setup.

Related Topics

Server Certificate Management