jimwillsher 64 Posted July 28, 2016 Share Posted July 28, 2016 Hello I currently access ERA 6.4 (Windows install, not the appliance) via a local NETBIOS name, e.g. https://eset-admin/era/ I have recently switched from Firefox to Chrome, and Chrome is more fussy about self-signed certificates than Firefox is. However I already own a wildcard certificate for *.mydomain.com and would like to start using this. I have 180+ clients live with Agent 6.4 so I don't want to mess anything up :-) What would be the correct procedure, in 6.4 on a Windows server (2012R2), to install a commercial wildcard certificate and then start using that for ERA ? Many thanks Jim Link to comment Share on other sites More sharing options...
ESET Staff MartinK 367 Posted July 28, 2016 ESET Staff Share Posted July 28, 2016 You have to re-configure tomcat7 installation to use your certificate instead of one generated during ERA installation (we are using still tomcat7 as in previous releases so there are no changes). Technically you have to create new java-style keystore with your certificate (public & private, certificate chain if required). This can be done in two steps described in tomcat7 manual. Once this file is created, you have to configure tomcat7 to start using new keystore instead of old one. This has to be done in file c:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\server.xml, where you should find "Connector" specification with parameters like keystoreFile, keyPass, keyAlias that has to be adapted for new keystore you just created. I recommend to copy whole connector definition, change port and keystore parameters and test it. Once done, you can remove original configuration, or even run both of them for some time. Link to comment Share on other sites More sharing options...
jimwillsher 64 Posted July 28, 2016 Author Share Posted July 28, 2016 Thanks Martin. I've also found this KB: hxxp://support.eset.com/kb3724/?locale=en_US but I'm struggling since I can't find server.xml. Any idea where this might lurk? Jim Link to comment Share on other sites More sharing options...
ESET Staff MartinK 367 Posted July 28, 2016 ESET Staff Share Posted July 28, 2016 Thanks Martin. I've also found this KB: hxxp://support.eset.com/kb3724/?locale=en_US but I'm struggling since I can't find server.xml. Any idea where this might lurk? Jim Maybe in x86 program files? There should definitely by somewhere installation directory of Apache Tomcat on your system drive. Link to comment Share on other sites More sharing options...
jimwillsher 64 Posted July 28, 2016 Author Share Posted July 28, 2016 Hmmm...... I'm getting nowhere I have a commercial certificate from PositiveSSL, for *.mydomain.com These are the steps I have taken (these are the full steps; nothing is omitted): Create the store keytool.exe -genkey -alias "tomcat" -keyalg RSA -keysize 4096 -validity 3650 -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" -storepass "hello" -keypass "hello" -dname "CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" Combine the certificates (use Notepad to combine star.mydomain.com.ca-bundle and star.mydomain.crt into a new file called combined.crt) Import the certificate keytool -import -trustcacerts -alias "av.mydomain.com" -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" -file "C:\Temp\combined.crt" The certificate is displayed and I choose to import it. Import is successful. i then edit C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\conf\server.xml, and at the bottom I change the SSL line to: <Connector server="OtherWebServer" port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" keystorePass="hello" keyAlias="tomcat"/> in Chrome I get: Your connection is not private Attackers might be trying to steal your information from av.mydomain.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID Can anyone shed any light on what I'm doing (or not doing) wrong please? Many thanks Jim Link to comment Share on other sites More sharing options...
ESET Staff MartinK 367 Posted July 28, 2016 ESET Staff Share Posted July 28, 2016 Can anyone shed any light on what I'm doing (or not doing) wrong please? Many thanks Jim That's is because you created new self-signed certificate. Please check section "Importing the Certificate" in referenced tomcat7 manual (I linked exactly this section). There are two steps, and only first one is mandatory -> creating keystore and adding your certificate. Seconds step adds CA but that should not be required in case you use some kind of public CA available in system. Also make sure you create new keystore file and not use existing as it will append certificate and tomcat will most probably use original one. Link to comment Share on other sites More sharing options...
jimwillsher 64 Posted July 28, 2016 Author Share Posted July 28, 2016 I'm very grateful for the handholding here Martin. Ok, I've started again. I hadn't appreciated that a keystore actually held the CA details, so yes, my keystore was self-signed. I've now run these commands (a new keystore): keytool -import -alias root -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore" -trustcacerts -file "C:\Temp\star.mydomain.com.ca-bundle" -storepass "hello" -keypass "hello" keytool -import -alias tomcat -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore" -file "C:\Temp\star.mydomain.crt" Keytool now seems happy: C:\Program Files (x86)\Java\jre1.8.0_31\bin>keytool -list -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore" Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries root, 28-Jul-2016, trustedCertEntry, Certificate fingerprint (SHA1): xx:9C:DD:xx:CF:D5:xx:41:16:xx:61:5F:F3:14:28:78:2D:xx:xx:xx tomcat, 28-Jul-2016, trustedCertEntry, Certificate fingerprint (SHA1): xx:F6:D6:xx:B5:3A:xx:2B:96:xx:C4:02:6F:1D:6A:B5:0C:xx:xx:xx C:\Program Files (x86)\Java\jre1.8.0_31\bin> I've then edited the server.xml and restarted Tomcat service: <Connector server="OtherWebServer" port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore" keystorePass="hello" keyAlias="tomcat"/> Now I just get nothing When browsing https://av.mydomain.com/eraChrome sits for a few seconds and then tells me that the site isn't responding. I'm not familiar with Tomcat (as you can tell!) but in the default configuration it doesn't seem to log anything. Do you have any further thoughts please? Sorry be asking so many questions, but I suspect I'm not the only user who would like the option of a commercial cert. Many thanks Jim Link to comment Share on other sites More sharing options...
jimwillsher 64 Posted July 28, 2016 Author Share Posted July 28, 2016 I notice that with my alternative keystore line in the config: <!-- <Connector server="OtherWebServer" port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\.keystore" keystorePass="xxx" keyAlias="tomcat"/> --> <Connector server="OtherWebServer" port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore" keystorePass="xxx" keyAlias="tomcat"/> after a restart of tomcat nothing is listening on 443. So Tomcat is objecting to something, either in that config or in the keystore. Link to comment Share on other sites More sharing options...
ESET Staff MartinK 367 Posted July 28, 2016 ESET Staff Share Posted July 28, 2016 Yes, it is most probably not able to start because of changes. Please check tomcat logs located somewhere around - it may indicate exact error, which will be most probably wrong password or certificate type. When I am looking on keytool command you used, my guess is that there is missing private key password (i.e. -keypass "hello" is missing in second keytool) - I hope there will be some details about startup failure ... Link to comment Share on other sites More sharing options...
Solution jimwillsher 64 Posted July 28, 2016 Author Solution Share Posted July 28, 2016 (edited) Result!!!!!!!! Google eventually found this for me https://forum.eset.com/topic/4986-era-v6-webconsole-ssl-certificate/ So, the steps which worked are as follows: Create the keystore, using the unaltered bundle file supplied from positiveSSL keytool -import -alias root -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore" -trustcacerts -file "C:\Temp\star.mydomain.com.ca-bundle" -storepass "hello" -keypass "hello" Combine the cert and private key openssl pkcs12 -export -in star.mydomain.com.crt -inkey star.mydomain.com.key -out star.mydomain.com.p12 -name tomcat Import the certificate keytool -importkeystore -deststorepass "hello" -destkeystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore" -srckeystore "C:\Temp\star.mydomain.com.p12" -srcstorepass "hello" -srcstoretype PKCS12 -alias tomcat Martin - thank you!!! You steered me onto the right track. I think the ultimate mistake was me missing "-name tomcat" when I generated my p12 file. Jim Edited July 28, 2016 by jimwillsher Link to comment Share on other sites More sharing options...
Dan Paluszek 0 Posted March 7, 2017 Share Posted March 7, 2017 I am posting what I did to import an existing wildcard cert (from rapidssl, if it makes a difference) because I found little info on it. This was done on a Windows 2012R2 box. So, if you are using a wildcard certificate to secure your ERA server you'll need to create a JKS keystore for tomcat to use. You do not need to create a new keystore with a CSR because the private key already exists. You will need: - All of your applicable intermediate certs (.crt files) - Your wildcard cert (.crt file) - Your private key (.key file) Combine your intermediate certs into a ca-bundle taking care of their hierarchal order. You can use any n*x machine for this. Or a text editor in Windows. The concept is the same. Now, assuming they are all in your working directory: cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > mydomain.com.ca-bundle On any n*x machine with openssl installed convert your cert, private key, and ca-bundle into a pkcs12 file. I did this on a 10.11.6 OS X machine running openssl v0.9.8zh. Now, assuming files are all in your working directory: openssl pkcs12 -export -in your-wildcard-cert.crt -inkey private.key -out "/path/to/your-new-pkcs12-file.pkcs12" -name tomcat -CAfile mydomain.com.ca-bundle -caname root On the tomcat server, "import" the pkcs12 file by converting it to a JKS file. for simplicity I put the JKS file in the tomcat directory. This command is run from the JRE bin directory whose exact location will vary depending on the Java version installed: keytool -importkeystore -srckeystore "C:\path\to\your-new-pkcs12-file.pkcs12" -srcstoretype PKCS12 -destkeystore "C:\Program Files\Apache Software Foundation\Tomcat 7.0\your-new-JKS-file.jks" On tomcat server open tomcat's server.xml file for editing (for me it was C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\Server.xml). Edit the "keystoreFile" parameter with the path to your jks file and the "keystorePass" parameter with the jks keystore password. Link to comment Share on other sites More sharing options...
Recommended Posts