How to Install a Third Party Certificate into enVision

All Information belong to knowledge.rsasecurity.com

ID | Title

a36779 | How to Install a Third Party Certificate into enVision

Fact

RSA enVision (3.7.x, 4.0.x)

Symptom

SSL

HTTPS

Certificate Error

Cause

Secure administration of enVision can be achieved by using HTTPS to connect to the administration GUI (by default this will be https://server:8443/login.jsp ) and the system uses a default keypair preconfigured. It is possible to replace the pre-supplied keypair with a unique keypair which is then site specific.

If the default keypair is used then when you connect with a browser to the admin GUI you will get a certificate error as a warning. You may still proceed to the admin GUI remembering that the default key is being used.

Fix

To install your own, site specific, keypair you should carry out the following steps:

1. On the enVision server (Asrv for LS) cd to the E drive and then to %_envision%\conf, run the following:

%_ENVISION%\conf>del .keystore

2. Run the following, answering the questions as requested.

%_ENVISION%\conf>..\jdk\jre\bin\keytool -genkey -keyalg RSA -keystore .keystore -validity 360 -alias tomcat -storepass enVision -keypass enVision
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is <CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown> correct
?
[no]: yes

Note: The keystore and storepass passwords are both enVision and must not be changed

3. Run the following command to create a certificate signing request

%_ENVISION%\conf>..\jdk\jre\bin\keytool -certreq -keyalg RSA -file certreq.csr -keystore .keystore -alias tomcat -keypass enVision -storepass enVision

4. You may look at the text file certreq.csr

%_ENVISION%\conf>type certreq.csr

-----BEGIN NEW CERTIFICATE REQUEST-----

MIIBrDCCARUCAQAwbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UE

BxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMH

VW5rbm93bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5Yq5nsUPKFvOdGiTh/+cetP0tHH+

wgOszsYILP1iy9PjzqhmKZRqC+2igjC24jbMnhbixwnEPph2n0h+JBn8z+pma0FC1HCoItcGPslQ

ObdrSWZG9C3dVpI+2NQ88lkGc/gK8roKsvhWUbnOgliwgYyG/fyfOl+ZbNnnicsPkPkCAwEAAaAA

MA0GCSqGSIb3DQEBBAUAA4GBAJ7GpEk0S7mrGdM+QXAEv4k2cJZ5r/W4Sd2f8atJU3zyYy+tZv8p

21QpfoJnVC4Gd0coJ4i1Q//PorMMDixIWXQUdvRZQbTik8PY/hl++dDjIrRTgzWjP9E7KNuqc2wa

P1GTnTIxCjttc1nqtLos9hRjKEdKMjmFUNIuAs378lrS

-----END NEW CERTIFICATE REQUEST-----

5. Send the .CSR file to the third party you have chosen to sign the certificate, this may be an external company or an internal certificate authority (CA). In return, you will receive a number of certificates either as files or sometimes as an email listing the locations to download the certificates. You should have at least two certificates, often three or more.

6.

Your signed certificate
A root certificate
None, one or more intermediate certificates

7. Copy all the certificate file to the enVision server.

8. Install the root certificate first, using a password of enVision, and answering yes when the certificate details are displayed and asked to add the certificate to the keystore:

%_ENVISION%\conf>..\jdk\jre\bin\keytool -import -trustcacerts -alias root -keystore .keystore -file location_of_root_cert.crt -storepass enVision

Owner: CN=Production2048, OU=CSAU, O=RSA, C=AU, EMAILADDRESS=mjbond@csau.ap.rsa.net

Issuer: CN=Production2048, OU=CSAU, O=RSA, C=AU, EMAILADDRESS=mjbond@csau.ap.rsa.net

Serial number: 5ba1b42e6157511b406fefb3c524dc8e

Valid from: Tue Dec 18 10:38:01 EST 2007 until: Sun Jan 02 10:54:13 EST 2011

Certificate fingerprints:

MD5: 40:75:C1:EB:D0:26:4E:C9:9B:59:6D:58:F8:2F:6D:BE

SHA1: 07:EF:D7:0D:35:0B:31:49:DE:20:0A:B7:8C:B9:28:B3:C0:CC:D2:2E

Trust this certificate? [no]: yes

Certificate was added to keystore

Any intermediate certificate must be installed next, using a password of enVision, for example here we add two intermediate certificates and invent different alias names for each one (the actual alias name for these is unimportant).

%_ENVISION%\conf>..\jdk\jre\bin\keytool -import -alias inter1 -keystore .keystore -file intermediate1.crt -storepass enVision

Certificate was added to keystore

%_ENVISION%\conf>..\jdk\jre\bin\keytool -import -alias inter2 -keystore .keystore -file intermediate2.crt -storepass enVision

Certificate was added to keystore

9. Lastly, install the signed server certificate, using a password of enVision, and answering yes when asked to add the certificate to the keystore:

%_ENVISION%\conf>..\jdk\jre\bin\keytool -import -alias tomcat -keystore .keystore -file server.crt -storepass enVision -keypass enVision

Certificate reply was installed in keystore

10. Copy \jdk\jre\bin\.keystore to the %_ENVISION%\conf directory

11. Stop and restart the NIC WebServer service.

The installation is complete

-Regards,

Blackhattrick blog

(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)