Creating Valid certificate using GETACERT for Client Login Extension



After Installation and configurations  of  Client Login Extension- CLE, Clicking the ForgottenPassword link on the Credential provider would simply throw error and does not launch SSPR setup page.


This is because CLE requires a valid Certificate to be installed on the client box and only then SSPR page would be rendered appropriately.


Creating a Valid Certificate from


1. Navigate to

2. Provide the details of below

   host-name , organization, dept, email, city, state,country and Expiry (10 years)

3.Review and Submit Self signed request

4.Download all the 4 certs

a)Private key :
b)Certificate request (.csr):
c)Public key(.cer) :
d)Entire certificate (pkcs12) :
Note: Your certificate password is the word 'password' (without any quote marks)

5.Launch the SSPR URL from  another Browser -->Login as Administrator-->Configuration Editor -->In the search field type "https private key and certificate"

ex: https://xx.xx.xx.xx:8443/sspr

6.Use the pkcs12 certificate which was generated with private key as "password" and upload the same certificate.

8.Navigate to client machine where CLE is installed, Login to the machine as administrator and open browser IE11 and launch the example SSPR page  https://xx.xx.xx.xx:8443/sspr . Download SSPR certificate by selecting view (Certificate1) and Copy to file and Export it to Desktop

9.Download the root certificate of getacert issuer

->Make sure you have your Certificate Signing Request (CSR) file ready
->Go to
->Click the "Submit certificate signing request (CSR)" link in the menu.
->Open your .csr file in a text editor.
->Copy and paste the CSR content into form.
->Click "SubmitCSR" button.
->Download the root certificate getacert.cer (Certificate 2)

10. Now on the client machine where CLE is Installed:

Launch mmc-->Add remove snapin-->Certificates-->Trusted Root Certificate Authorities ( Computer Account-->Import both Certificate 1 and Certificate 2

11.Restart Self Service Password reset service and also restart the client machine where CLE is installed and configured with above certificate entitlements. 


CLE now works seamless and launches SSPR page appropriately for password reset functionality.

Note:The certificate signed by is a valid public key certificate. You can use it for testing purpose as long as you keep it together with certificate, because is not a trusted root CA.


Support Tip
Comment List
  • We are currently in Client Login Plugin 3.10 and using PWM  instead of SSPR, We also  use IDM suite. So are the above steps mandate if we upgrade Netiq client login extension plugin to higher version ? What is the latest version of CLE plugin ? Can any one help with  the download patch site of Latest version of CLE plugin

    Best Regards,

    Steve Holding