User Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
] />

JMPer Cable

A technical blog for JMP users of all levels, full of how-to's, tips and tricks, and detailed information on JMP features
Choose Language Hide Translation Bar
Alex_Lippincott
Staff Alex_Lippincott
Staff
SSL certificates for JMP Live: 2026 updates
Mar 6, 2026 12:27 PM

SSL certificate requirements for JMP Live

SSL certificates are text files with cryptographic keys that enable secure communication between a browser and a web server. They encrypt sensitive information so only the intended recipient can access it. The keys are organization-specific and must come from third-party vendors such as DigiCert, Symantec, or Network Solutions, or from an internal enterprise certificate authority (CA). JMP Live requires these certificates to run.

We recommend:

  • Certificate type
    • Publicly trusted server certificate issued by a public certificate authority (CA)
    • SAN or wildcard certificates are supported, as long as the browser trusts the issuing CA
  • Hostname
    • The certificate’s Common Name (CN) or Subject Alternative Name (SAN) must match the fully qualified domain name (FQDN) you use to access JMP Live, for example: jmplive.yourcompany.com
  • Key type and size
    • RSA 2048-bit (or higher)
    • SHA-256 (or stronger) signature algorithm
  • Chain
    • Full CA chain (intermediate and root certificates) must be available in PEM format.

Internal enterprise CAs
JMP Live can also use certificates issued by an internal enterprise CA. In that case, client browsers must trust the internal CA. Work with your IT/security team to ensure the CA certificate is deployed to users’ machines.

Self-signed certificates
Self-signed certificates are not recommended for production because client browsers will show security warnings. Use a CA-signed certificate whenever possible.

JMP Live uses four certificate files:

  1. A file with the public (server) certificate.
  2. A file with the certificate’s private key.
  3. A file with the CA certificate chain, also called the certificate authority (CA) certificate chain, which includes the intermediate and root certificates.
  4. A file containing the public certificate and the certificate chain combined.

All files must be in Privacy-Enhanced Mail (PEM) format.

Requesting certificates from a certificate authority (CA)

The certificate and private key are configured for your organization. The root certificate comes from the third-party vendor.

When purchasing a certificate, follow the vendor's documentation to obtain the required files.

After locating the certificate enrollment service, follow these steps:

  1. Get the certificate: Request it from the vendor CA service web page. Follow instructions to submit the request. After issuance, download and save it to the install machine. Choose Base64 encoding. The downloaded file usually starts with:

  -----BEGIN CERTIFICATE-----

This will be file #1 (server certificate).

      2. Get the certificate’s private key: The private key is generated when you create the certificate signing request (CSR). It is usually                  stored in the server’s filesystem or keystore.

If you are not sure where the private key is stored, see Helpful links at the end of this blog post or search online for instructions specific to your web server.

JMP Live requires the private key in unencrypted PEM format. If your key is in a different format or is password-protected, use one of these methods to convert it:

Method A: Convert from PKCS#12 (PFX/P12) using OpenSSL

If you export the server certificate and private key from IIS or another tool, you typically get a .pfx (PKCS#12) file, which is password-protected. JMP Live cannot use password-protected files.

    1. Use OpenSSL to convert the .pfx file to PEM (see Helpful Links at the end of this blog post or use Google for options):

openssl pkcs12 -in cert.pfx -nodes -out cert.pem

If this command fails, try:

openssl pkcs7 -print_certs -in cert.pfx -out cert.pem

                  2.The resulting cert.pem contains the unprotected private key and all certificates. Open it with Notepad and:

      • Find the block that starts with -----BEGIN RSA PRIVATE KEY----- or -----BEGIN PRIVATE KEY-----.
      • Copy that entire block into a new file.

This new file is file #2 (private key).

Method B: Apache-style export

Some utilities export the certificate and key in Apache (PEM) format without a password, producing two separate files. These can serve as file #1 and file #2 without OpenSSL conversion.

  1. Get the root certificate: The vendor CA site usually has a menu item "Download a CA certificate, certificate chain, or CRL." JMP Live needs the CA certificate chain, which downloads file #3. Choose Base64 encoding. If the file is password-protected, remove the password as described above. If in PKCS#7 or P7B format, convert it to PEM format with:

openssl pkcs7 -in certnew.p7b -nodes -out root.pem

Verify the certificates (optional)

Verify your PEM files with:

openssl x509 -in root.pem -text

This displays certificate details, such as Issuer, Subject, and expiration date for verification.

Formatting the certificates for JMP Live

Name the certificates as follows to identify them easily during renewal:

  • Public key (server certificate) – cert.pem
  • Private key – key.pem
  • Intermediate and root (CA chain) – root.pem
  • Public, intermediate, and root combined – combined.pem

To create combined.pem from existing files, concatenate the server certificate and CA chain. The order should be:

  1. Server certificate
  2. Intermediate certificate(s)
  3. Root certificate

Using the certificates in JMP Live

  1. Store the certificate files

After obtaining the certificates, begin using them in JMP Live.
Store the files in a central, secure location outside the JMP Live installation path, for example:

C:\certificates

  1. Update the .env files for JMP Live and JMP Pool

Edit the .env files of JMPLive and JMPPool to reflect the paths to the certificate, private key, and root certificate.

    1. Edit the JMP Live .env file:

SSL_CERT_FILE='C:\certificates\cert.pem'

SSL_KEY_FILE='C:\certificates\key.pem'

SSL_CA_FILE='C:\certificates\root.pem'

                 b. Edit the JMP Pool .env file (root certificate only):

SSL_CA_FILE='C:\certificates\root.pem

      2. Update the Keycloak configuration

Edit the keycloak.conf file to reflect the correct paths:

https-certificate-file=C:/certificates/combined.pem

https-certificate-key-file=C:/certificates/key.pem

      3. Restart JMP Live services

Use the Services tab in Task Manager (or services.msc) to start or restart:

    • JMP Live web application (websjmpsvc.exe)
    • JMP Pool Manager (jmpppolsvc.exe)
    • Keycloak (jmplivekeycloak)

Security best practices

Protect your private key file (key.pem):

  • Restrict file system permissions so only the JMP Live service account and administrators can read it.
  • Never share the private key over email or unsecured channels.
  • If the private key is compromised, revoke the certificate with your CA and issue a new one.

Helpful links

Here are links to reference as you set up SSL certificates:

 

Last Modified: Mar 6, 2026 12:27 AM