ERA v6 Webconsole SSL Certificate

[zhopkins 10]

After using ERA v6 for the past few months, I figured that it would be a good idea to install a better SSL certificate.  By default, the Webconsole was using a certificate with almost no information filled out (no Common Name, Organzation, et al), making it difficult to truly trust.  Getting a proper certificate installed (i.e. one that was signed by either a trusted internal CA or an external commercial CA), turned out to be a bit tricker than I expected.  I am documenting the process that I went through, so that it might be of use to others.

 

Currently, ERA v6 (Server 6.1.444.0 / Webconsole 6.1.334.0) does not offer any way to import or view the certificate that is used for the Webconsole.

 

To generate a CSR and get the signed certificate installed, you will need the latest Java JDK and a copy of OpenSSL.  For convenience, I installed the JDK on the same server as the ERA, since it will be used to import the certificate directly to the Tomcat keystore.

 

First, you need to gather three pieces of information from your ERA's Tomcat configuration.  These are generated behind-the-scenes during the installation process.  Our server is running on Windows, so for us the file is located at "C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\server.xml".  Near the end of this file is a line that starts with "<Connector server="OtherWebServer" port="443" protocol="HTTP/1.1" SSLEnabled="true"...".  Make a note of the values for "keystoreFile", "keystorePass", and "keyAlias".

- The default keystoreFile value should be "C:\Program Files\Apache Software Foundation\Tomcat 7.0\.keystore"

- The default keyAlias should be "tomcat"

- The keystorePass will be randomly generated

 

Use OpenSSL to generate a certificate signing request (CSR), then use your internal or commercial CA to sign the certificate and receive a PEM formatted certificate.

openssl req -out ERA.csr -new -newkey rsa:2048 -nodes -keyout ERA.key

 

Now, you need to combine the private key (ERA.key) with your signed certificate (ERA.cer).  Run the following command with OpenSSL to combine them into a PKCS 12 file.  When prompted for an Export Password, use the same value from the keystorePass field.

openssl pkcs12 -export -in ERA.cer -inkey ERA.key -out ERA.p12 -name tomcat

 

Before the new certificate can be imported, you will need to backup the old keystore file (copy it somewhere safe) and then delete the old certificate with the following command on the ERA server.  I am running the keytool commands from the JDK bin directory (e.g. C:\Program Files\Java\jdk1.8.0_45\bin\).  Replace "_YOUR_keystorePass_" with your actual keystorePass value.

keytool -delete -alias tomcat -keystore "C:\Program Files\Apache Software Foundation\Tomcat 7.0\.keystore" -storepass _YOUR_keystorePass_

 

You can verify that the keystore is empty by running the following command.

keytool -list -keystore "C:\Program Files\Apache Software Foundation\Tomcat 7.0\.keystore" -storepass _YOUR_keystorePass_

 

With the keystore empty, you can now import your new certificate.

keytool -importkeystore -deststorepass _YOUR_keystorePass_ -destkeystore "C:\Program Files\Apache Software Foundation\Tomcat 7.0\.keystore" -srckeystore "_Path_to_your_ERA.p12" -srcstorepass _YOUR_keystorePass_ -srcstoretype PKCS12 -alias tomcat

 

FInally, restart your Tomcat service and you should be able to load up your Webconsole and see the new certificate in use!

 

I'm sure that there may be a shorter set of commands to accomplish this, or that such functionality with be integrated into ERA in the future, but until then, I hope this helps!

 

[Timos 8]

In fact, you do not need to use openssl. Java keytool should be enough.

hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3724

 

Following step 1 and 5 let you generate self signed certificate with your values and setting tomcat's server xml to use generated keystore.

 

1. Create a keystore with an SSL certificate. You must have Java JRE installed, and it is preferable that you are running the latest version, because it includes the Java Keytool (keytool.exe), which allows you to create the certificate via command line. You need to generate a new certificate for each tomcat instance (in case you have multiple tomcat instances) to ensure that, if one certificate is compromised, other tomcat instances will remain secure.
   
   Below is an example command that creates a keystore with an SSL certificate (to perform this step, navigate to exact location of keytool.exe file, for example C:\Program Files (x86)\Java\jre1.8.0_40\bin>, and then run the command):

keytool.exe -genkey -alias "tomcat" -keyalg RSA -keysize 4096 -validity 3650 -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" -storepass "yourpassword" -keypass "yourpassword" -dname "CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"

 

5. Edit the server.xml configuration file so that tag is written similar to the example below:

<Connector server="OtherWebServer" port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" keystorePass="yourpassword" keyAlias="tomcat"/>
 

[terrum 1]

If you're using ESET ERA VA, there is a way to import and use a proper SSL certificate with ERA webconsole without generating a new csr (the cert should have a matching SAN record for the url you will be using to access the webconsole):

 

1. Export a certificate in PEM format as well as its private key from the server where from you created a csr (or from any other server as long as it has a matching private key).

2. Export your intermediate CA certificate in PEM format. If applicable, export your root CA certificate as well and merge both in one PEM file (it's a human readable format, so you can open it in notepad). Be careful not to change anything and don't add any empty lines, do copy all and then paste into a new file, first the intermediate cert and right below it the root cert. Save the new file in PEM format too.

 

Note: You can skip some or all of above if your public certificate provider allows you to download one or all of above directly from them.

 

3. Now convert the cert and the key into PKCS#12 container (install openssl if you didn't do it already):

"openssl pkcs12 -export -in mycert.pem -inkey mykey.pem -out myserver.p12 -name tomcat -caname root_ca -chain -CAfile cacert.pem"

 

Parameters used:

mycert.pem and mykey.pem - your cert and the private key (see step 1)

cacert.pem - intermediate and root CA combined (see step 2)

myserver.p12 - the PKCS#12 container you need to take to ERA VA (root user home folder will do)

 

4. Open putty and login to ERA VA as root. Run the following command:

"keytool -importkeystore -deststorepass mypass -destkeypass mypass -destkeystore keystore.jks -srckeystore myserver.p12 -srcstoretype PKCS12 -srcstorepass p12pass -srcalias tomcat -destalias tomcat"

 

Parameters used:

mypass - a password to protect your certificate and the private key stored in keystore

p12pass - a password you entered to secure the PKCS#12 container (see step 3)

myserver.p12 - your PKCS#12 container (see step 3)

keystore.jks - your new keystore container

 

5. Copy the keystore file to /etc/tomcat6/

 

6. Make a backup copy of the /etc/tomcat6/server.xml somewhere (in root user home for example).

 

7. Edit /etc/tomcat6/server.xml so that the connector block looks like this:

<Connector port="keep your port ### here, usually it's 443" 

protocol="HTTP/1.1" 

SSLEnabled="true"

maxThreads="150"

scheme="https"

secure="true"

clientAuth="false"

sslProtocol="TLS"

keystoreFile="/etc/tomcat6/keystore.jks"

keystorePass="mypass"

keyAlias="tomcat"

/>

 

8. Now reboot ERA VA and try to login to webconsole - you should no longer see certificate error message as long as the url you're using has a matching record in the certificate's SAN list!

 

 

Kudos to alexkasko for posting an example here

[Staj 5]

Don't like keytool? Can always give KeyStore Explorer a try (Still requires JRE though).