How to Install a Third Party Certificate into enVision
Fact
RSA enVision (3.7.x, 4.0.x)
Symptom
SSL
HTTPS
Certificate Error
Cause
Secure administration of enVision can be achieved by using HTTPS to connect to the administration GUI (by default this will be https://server:8443/login.jsp ) and the system uses a default keypair preconfigured. It is possible to replace the pre-supplied keypair with a unique keypair which is then site specific.
If the default keypair is used then when you connect with a browser to the admin GUI you will get a certificate error as a warning. You may still proceed to the admin GUI remembering that the default key is being used.
Fix
To install your own, site specific, keypair you should carry out the following steps:
1. On the enVision server (Asrv for LS) cd to the E drive and then to %_envision%\conf, run the following:
%_ENVISION%\conf>del .keystore
2. Run the following, answering the questions as requested.
%_ENVISION%\conf>..\jdk\jre\bin\keytool -genkey -keyalg RSA -keystore .keystore -validity 360 -alias tomcat -storepass enVision -keypass enVision
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is <CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown> correct
?
[no]: yes
Note: The keystore and storepass passwords are both enVision and must not be changed
3. Run the following command to create a certificate signing request
%_ENVISION%\conf>..\jdk\jre\bin\keytool -certreq -keyalg RSA -file certreq.csr -keystore .keystore -alias tomcat -keypass enVision -storepass enVision
4. You may look at the text file certreq.csr
%_ENVISION%\conf>type certreq.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBrDCCARUCAQAwbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UE
BxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMH
VW5rbm93bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA5Yq5nsUPKFvOdGiTh/+cetP0tHH+
wgOszsYILP1iy9PjzqhmKZRqC+2igjC24jbMnhbixwnEPph2n0h+JBn8z+pma0FC1HCoItcGPslQ
ObdrSWZG9C3dVpI+2NQ88lkGc/gK8roKsvhWUbnOgliwgYyG/fyfOl+ZbNnnicsPkPkCAwEAAaAA
MA0GCSqGSIb3DQEBBAUAA4GBAJ7GpEk0S7mrGdM+QXAEv4k2cJZ5r/W4Sd2f8atJU3zyYy+tZv8p
21QpfoJnVC4Gd0coJ4i1Q//PorMMDixIWXQUdvRZQbTik8PY/hl++dDjIrRTgzWjP9E7KNuqc2wa
P1GTnTIxCjttc1nqtLos9hRjKEdKMjmFUNIuAs378lrS
-----END NEW CERTIFICATE REQUEST-----
5. Send the .CSR file to the third party you have chosen to sign the certificate, this may be an external company or an internal certificate authority (CA). In return, you will receive a number of certificates either as files or sometimes as an email listing the locations to download the certificates. You should have at least two certificates, often three or more.
6.
Your signed certificate
A root certificate
None, one or more intermediate certificates
7. Copy all the certificate file to the enVision server.
8. Install the root certificate first, using a password of enVision, and answering yes when the certificate details are displayed and asked to add the certificate to the keystore:
%_ENVISION%\conf>..\jdk\jre\bin\keytool -import -trustcacerts -alias root -keystore .keystore -file location_of_root_cert.crt -storepass enVision
Owner: CN=Production2048, OU=CSAU, O=RSA, C=AU, EMAILADDRESS=mjbond@csau.ap.rsa.net
Issuer: CN=Production2048, OU=CSAU, O=RSA, C=AU, EMAILADDRESS=mjbond@csau.ap.rsa.net
Serial number: 5ba1b42e6157511b406fefb3c524dc8e
Valid from: Tue Dec 18 10:38:01 EST 2007 until: Sun Jan 02 10:54:13 EST 2011
Certificate fingerprints:
MD5: 40:75:C1:EB:D0:26:4E:C9:9B:59:6D:58:F8:2F:6D:BE
SHA1: 07:EF:D7:0D:35:0B:31:49:DE:20:0A:B7:8C:B9:28:B3:C0:CC:D2:2E
Trust this certificate? [no]: yes
Certificate was added to keystore
Any intermediate certificate must be installed next, using a password of enVision, for example here we add two intermediate certificates and invent different alias names for each one (the actual alias name for these is unimportant).
%_ENVISION%\conf>..\jdk\jre\bin\keytool -import -alias inter1 -keystore .keystore -file intermediate1.crt -storepass enVision
Certificate was added to keystore
%_ENVISION%\conf>..\jdk\jre\bin\keytool -import -alias inter2 -keystore .keystore -file intermediate2.crt -storepass enVision
Certificate was added to keystore
9. Lastly, install the signed server certificate, using a password of enVision, and answering yes when asked to add the certificate to the keystore:
%_ENVISION%\conf>..\jdk\jre\bin\keytool -import -alias tomcat -keystore .keystore -file server.crt -storepass enVision -keypass enVision
Certificate reply was installed in keystore
10. Copy \jdk\jre\bin\.keystore to the %_ENVISION%\conf directory
11. Stop and restart the NIC WebServer service.
-Regards,
Blackhattrick blog
(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)
No comments:
Post a Comment