Jump to content

Chrome browser certificate invalid error for ERA web console


MKnight
 Share

Recommended Posts

Hi all,

I followed the instructions outlined below to setup an HTTPS/SSL connection for the ERA web console. I thought everything was fine because when I access the web console via Internet Explorer I do not get a certificate warning but when I try the same thing using the Chrome browser I get a certificate is invalid error. When I drill down into the certificate details in Chrome it shows my certificate chain and also that it is valid. Could this be because the certificate is using the SHA1 security algorithm and Chrome does not support it? Does ESET ERA work with SHA-256 or should I wait until ESET ERA 7 comes out?

Also what is the difference between following method 1 vs method 2 outlined here:

https://support.eset.com/kb3724/?locale=en_US&viewlocale=en_US

Do they both achieve the same thing? Sorry I am not a certificate expert. 

To use an existing certificate

  1. Move the certificate .pfx file to your Tomcat install directory.

    By default, this is C:\Program Files(x86)\Apache Software Foundation\Tomcat X.X on 64-bit Windows Server systems or C:\Program Files\Apache Software Foundation\Tomcat X.X on 32-bit systems.

  2. Open the Conf folder in the Tomcat install directory and locate the Server.xml file.Edit this file using a text editor such as Notepad ++. Copy the following string into the Server.xml:

    <Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keystoreFile="enter_pfx_filename_here" keystorePass="enter_password_here" keystoreType="PKCS12"/>

  3. Restart the Tomcat service. 

Link to comment
Share on other sites

  • ESET Staff

@MKnight

You can enable "advanced security" also in the server settings of ERA 6.5. However for that, you will need to regenerate all of the certificates and redeploy them, so I am not sure if it is "worth the effort". Also please note, that if you use very old versions of operating systems, the SHA256 signed certificates might not work (old instances of Linux, or for example Windows XP).  https://help.eset.com/era_admin/65/en-US/admin_server_settings.html

Concerning the differences between the articles, I would wait for some more "certificate savvy" people to answer. I have asked them to comment as well.

Link to comment
Share on other sites

Thanks for the quick update. I will wait to hear back from the others...hopefully someone with more cert experience can chime in.

Link to comment
Share on other sites

  • ESET Staff

Regarding two methods:

  1. first describes steps how to use certificate that was generated by someone else. For example there are various third-party providers that can generate you certificate for your domain/hostname, or even IT department can provide you one in case of larger company. This certificate will be signed (should be) by trusted CA, i.e. it will be automatically trusted by browser or operating system itself.
  2. Second method described how to create your own self-signed certificate. Self-signed certificate will be by default entrusted by browser, and you will have to add exclusion, e.i. explicitly accept that you trust such certificate.

Bu default, ERA installer uses method 2 to generate certificate, and that is most probably reason why it is considered as untrusted, but we will need more info of what certificate are you actually using. This certificate used for webconsole connections is used only in Apache Tomcat and is not managed by ERA at all. This means, that no configuration in ERA will change this behavior - and in case of compatibility, it completely depends on Apache Tomcat version currently installed. I think that Tomcat7 will be able to use even stronger certificates.

Unfortunately I am no skilled Chrome user, but I would expect that there will be somewhere reason for marking certificate as untrusted somewhere ...

Link to comment
Share on other sites

The issue maybe because our in house PKI infrastructure is still using SHA1 and the Chrome browser does not like this. I am not sure at this point. Hopefully someone else can shed some light on the issue.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...