Correct procedure to install a commercial wildcard cert into ERA 6.4

[jimwillsher 64]

Hello

 

I currently access ERA 6.4 (Windows install, not the appliance) via a local NETBIOS name, e.g.

 

https://eset-admin/era/

 

I have recently switched from Firefox to Chrome, and Chrome is more fussy about self-signed certificates than Firefox is. However I already own a wildcard certificate for *.mydomain.com and would like to start using this. I have 180+ clients live with Agent 6.4 so I don't want to mess anything up :-)

 

What would be the correct procedure, in 6.4 on a Windows server (2012R2), to install a commercial wildcard certificate and then start using that for ERA ?

 

 

Many thanks

 

 

 

Jim

[MartinK 336]

You have to re-configure tomcat7 installation to use your certificate instead of one generated during ERA installation (we are using still tomcat7 as in previous releases so there are no changes).

 

Technically you have to create new java-style keystore with your certificate (public & private, certificate chain if required). This can be done in two steps described in tomcat7 manual. Once this file is created, you have to configure tomcat7 to start using new keystore instead of old one. This has to be done in file c:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\server.xml, where you should find "Connector" specification with parameters like keystoreFile, keyPass, keyAlias that has to be adapted for new keystore you just created. I recommend to copy whole connector definition, change port and keystore parameters and test it. Once done, you can remove original configuration, or even run both of them for some time.

[jimwillsher 64]

Thanks Martin. I've also found this KB:

 

hxxp://support.eset.com/kb3724/?locale=en_US

 

but I'm struggling since I can't find server.xml. Any idea where this might lurk?

 

 

 

Jim

[MartinK 336]

Thanks Martin. I've also found this KB:

 

hxxp://support.eset.com/kb3724/?locale=en_US

 

but I'm struggling since I can't find server.xml. Any idea where this might lurk?

 

 

 

Jim

 

Maybe in x86 program files? There should definitely by somewhere installation directory of Apache Tomcat on your system drive.

[jimwillsher 64]

Hmmm...... I'm getting nowhere

 

 

I have a commercial certificate from PositiveSSL, for *.mydomain.com

 

These are the steps I have taken (these are the full steps; nothing is omitted):

 

 

Create the store

 

keytool.exe -genkey -alias "tomcat" -keyalg RSA -keysize 4096 -validity 3650 -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" -storepass "hello" -keypass "hello" -dname "CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"

 

 

Combine the certificates

 

(use Notepad to combine star.mydomain.com.ca-bundle and star.mydomain.crt into a new file called combined.crt)

 

 

Import the certificate

 

keytool -import -trustcacerts -alias "av.mydomain.com" -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" -file "C:\Temp\combined.crt"

 

 

The certificate is displayed and I choose to import it. Import is successful.

 

i then edit C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\conf\server.xml, and at the bottom I change the SSL line to:

 

<Connector server="OtherWebServer" port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" keystorePass="hello" keyAlias="tomcat"/>

 

in Chrome I get:

 

 

 

Your connection is not private

 

Attackers might be trying to steal your information from av.mydomain.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID

 

 

 

Can anyone shed any light on what I'm doing (or not doing) wrong please?

 

 

Many thanks

 

 

 

Jim

[MartinK 336]

Can anyone shed any light on what I'm doing (or not doing) wrong please?

 

 

Many thanks

 

 

 

Jim

 

That's is because you created new self-signed certificate.

Please check section "Importing the Certificate" in referenced tomcat7 manual (I linked exactly this section). There are two steps, and only first one is mandatory -> creating keystore and adding your certificate. Seconds step adds CA but that should not be required in case you use some kind of public CA available in system. Also make sure you create new keystore file and not use existing as it will append certificate and tomcat will most probably use original one.

[jimwillsher 64]

I'm very grateful for the handholding here Martin.

 

Ok, I've started again. I hadn't appreciated that a keystore actually held the CA details, so yes, my keystore was self-signed.

 

I've now run these commands (a new keystore):

 

keytool -import -alias root -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore" -trustcacerts -file "C:\Temp\star.mydomain.com.ca-bundle" -storepass "hello" -keypass "hello"

 

keytool -import -alias tomcat -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore" -file "C:\Temp\star.mydomain.crt"

 

 

 

 

Keytool now seems happy:

 

C:\Program Files (x86)\Java\jre1.8.0_31\bin>keytool -list -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore"

Enter keystore password:

 

Keystore type: JKS

Keystore provider: SUN

 

Your keystore contains 2 entries

 

root, 28-Jul-2016, trustedCertEntry,

Certificate fingerprint (SHA1): xx:9C:DD:xx:CF:D5:xx:41:16:xx:61:5F:F3:14:28:78:2D:xx:xx:xx

tomcat, 28-Jul-2016, trustedCertEntry,

Certificate fingerprint (SHA1): xx:F6:D6:xx:B5:3A:xx:2B:96:xx:C4:02:6F:1D:6A:B5:0C:xx:xx:xx

 

C:\Program Files (x86)\Java\jre1.8.0_31\bin>

 

 

I've then edited the server.xml and restarted Tomcat service:

 

<Connector server="OtherWebServer" port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore" keystorePass="hello" keyAlias="tomcat"/>

 

 

Now I just get nothing When browsing https://av.mydomain.com/eraChrome sits for a few seconds and then tells me that the site isn't responding.

 

I'm not familiar with Tomcat (as you can tell!) but in the default configuration it doesn't seem to log anything.

 

Do you have any further thoughts please?

 

Sorry be asking so many questions, but I suspect I'm not the only user who would like the option of a commercial cert.

 

Many thanks

 

 

 

Jim

[jimwillsher 64]

I notice that with my alternative keystore line in the config:

 

<!--

<Connector server="OtherWebServer" port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\.keystore" keystorePass="xxx" keyAlias="tomcat"/>

-->

<Connector server="OtherWebServer" port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore" keystorePass="xxx" keyAlias="tomcat"/>

 

after a restart of tomcat nothing is listening on 443. So Tomcat is objecting to something, either in that config or in the keystore.

[MartinK 336]

Yes, it is most probably not able to start because of changes. Please check tomcat logs located somewhere around - it may indicate exact error, which will be most probably wrong password or certificate type.

When I am looking on keytool command you used, my guess is that there is missing private key password (i.e. -keypass "hello" is missing in second keytool) - I hope there will be some details about startup failure ...

[jimwillsher 64]

Result!!!!!!!!

 

Google eventually found this for me

 

https://forum.eset.com/topic/4986-era-v6-webconsole-ssl-certificate/

 

 

So, the steps which worked are as follows:

 

Create the keystore, using the unaltered bundle file supplied from positiveSSL

keytool -import -alias root -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore" -trustcacerts -file "C:\Temp\star.mydomain.com.ca-bundle" -storepass "hello" -keypass "hello"

 

 

Combine the cert and private key

openssl pkcs12 -export -in star.mydomain.com.crt -inkey star.mydomain.com.key -out star.mydomain.com.p12 -name tomcat

 

 

Import the certificate

keytool -importkeystore -deststorepass "hello" -destkeystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore" -srckeystore "C:\Temp\star.mydomain.com.p12" -srcstorepass "hello" -srcstoretype PKCS12 -alias tomcat

 

 

Martin - thank you!!! You steered me onto the right track. I think the ultimate mistake was me missing "-name tomcat" when I generated my p12 file.

 

 

 

 

Jim

Edited July 28, 2016 by jimwillsher

[Dan Paluszek 0]

I am posting what I did to import an existing wildcard cert (from rapidssl, if it makes a difference) because I found little info on it. This was done on a Windows 2012R2 box.

So, if you are using a wildcard certificate to secure your ERA server you'll need to create a JKS keystore for tomcat to use. You do not need to create a new keystore with a CSR because the private key already exists.

You will need:
- All of your applicable intermediate certs (.crt files)
- Your wildcard cert (.crt file)
- Your private key (.key file)

Combine your intermediate certs into a ca-bundle taking care of their hierarchal order. You can use any n*x machine for this. Or a text editor in Windows. The concept is the same. Now, assuming they are all in your working directory:

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > mydomain.com.ca-bundle

On any n*x machine with openssl installed convert your cert, private key, and ca-bundle into a pkcs12 file. I did this on a 10.11.6 OS X machine running openssl v0.9.8zh. Now, assuming files are all in your working directory:

openssl pkcs12 -export -in your-wildcard-cert.crt -inkey private.key -out "/path/to/your-new-pkcs12-file.pkcs12" -name tomcat -CAfile mydomain.com.ca-bundle -caname root

On the tomcat server, "import" the pkcs12 file by converting it to a JKS file. for simplicity I put the JKS file in the tomcat directory. This command is run from the JRE bin directory whose exact location will vary depending on the Java version installed:

keytool -importkeystore -srckeystore "C:\path\to\your-new-pkcs12-file.pkcs12" -srcstoretype PKCS12 -destkeystore "C:\Program Files\Apache Software Foundation\Tomcat 7.0\your-new-JKS-file.jks"

On tomcat server open tomcat's server.xml file for editing (for me it was C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\Server.xml). Edit the "keystoreFile" parameter with the path to your jks file and the "keystorePass" parameter with the jks keystore password.