Jump to content

Correct procedure to install a commercial wildcard cert into ERA 6.4


Go to solution Solved by jimwillsher,

Recommended Posts

Hello

 

I currently access ERA 6.4 (Windows install, not the appliance) via a local NETBIOS name, e.g.

 

https://eset-admin/era/

 

I have recently switched from Firefox to Chrome, and Chrome is more fussy about self-signed certificates than Firefox is. However I already own a wildcard certificate for *.mydomain.com and would like to start using this. I have 180+ clients live with Agent 6.4 so I don't want to mess anything up :-)

 

What would be the correct procedure, in 6.4 on a Windows server (2012R2), to install a commercial wildcard certificate and then start using that for ERA ?

 

 

Many thanks

 

 

 

Jim

Link to comment
Share on other sites

  • ESET Staff

You have to re-configure tomcat7 installation to use your certificate instead of one generated during ERA installation (we are using still tomcat7 as in previous releases so there are no changes).

 

Technically you have to create new java-style keystore with your certificate (public & private, certificate chain if required). This can be done in two steps described in tomcat7 manual. Once this file is created, you have to configure tomcat7 to start using new keystore instead of old one. This has to be done in file c:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\server.xml, where you should find "Connector" specification with parameters like keystoreFile, keyPass, keyAlias that has to be adapted for new keystore you just created. I recommend to copy whole connector definition, change port and keystore parameters and test it. Once done, you can remove original configuration, or even run both of them for some time.

Link to comment
Share on other sites

  • ESET Staff

Thanks Martin. I've also found this KB:

 

hxxp://support.eset.com/kb3724/?locale=en_US

 

but I'm struggling since I can't find server.xml. Any idea where this might lurk?

 

 

 

Jim

 

Maybe in x86 program files? There should definitely by somewhere installation directory of Apache Tomcat on your system drive.

Link to comment
Share on other sites

Hmmm...... I'm getting nowhere :(

 

 

I have a commercial certificate from PositiveSSL, for *.mydomain.com

 

These are the steps I have taken (these are the full steps; nothing is omitted):

 

 

Create the store
 
keytool.exe -genkey -alias "tomcat" -keyalg RSA -keysize 4096 -validity 3650 -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" -storepass "hello" -keypass "hello" -dname "CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"
 
 
Combine the certificates
 
(use Notepad to combine star.mydomain.com.ca-bundle and star.mydomain.crt into a new file called combined.crt)
 
 
Import the certificate
 
keytool -import -trustcacerts -alias "av.mydomain.com" -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" -file "C:\Temp\combined.crt"
 
 
The certificate is displayed and I choose to import it. Import is successful.
 
i then edit C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\conf\server.xml, and at the bottom I change the SSL line to:
 
<Connector server="OtherWebServer" port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" keystorePass="hello" keyAlias="tomcat"/>
 
in Chrome I get:
 
 
 
Your connection is not private
 
Attackers might be trying to steal your information from av.mydomain.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID

 

 

 

Can anyone shed any light on what I'm doing (or not doing) wrong please?

 

 

Many thanks

 

 

 

Jim

Link to comment
Share on other sites

  • ESET Staff
Can anyone shed any light on what I'm doing (or not doing) wrong please?

 

 

Many thanks

 

 

 

Jim

 

That's is because you created new self-signed certificate.

Please check section "Importing the Certificate" in referenced tomcat7 manual (I linked exactly this section). There are two steps, and only first one is mandatory -> creating keystore and adding your certificate. Seconds step adds CA but that should not be required in case you use some kind of public CA available in system. Also make sure you create new keystore file and not use existing as it will append certificate and tomcat will most probably use original one.

Link to comment
Share on other sites

I'm very grateful for the handholding here Martin.

 

Ok, I've started again. I hadn't appreciated that a keystore actually held the CA details, so yes, my keystore was self-signed.

 

I've now run these commands (a new keystore):

 

keytool -import -alias root -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore" -trustcacerts -file "C:\Temp\star.mydomain.com.ca-bundle" -storepass "hello" -keypass "hello"

 

keytool -import -alias tomcat -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore" -file "C:\Temp\star.mydomain.crt"

 

 

 

 

Keytool now seems happy:

 

C:\Program Files (x86)\Java\jre1.8.0_31\bin>keytool -list -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore"
Enter keystore password:
 
Keystore type: JKS
Keystore provider: SUN
 
Your keystore contains 2 entries
 
root, 28-Jul-2016, trustedCertEntry,
Certificate fingerprint (SHA1): xx:9C:DD:xx:CF:D5:xx:41:16:xx:61:5F:F3:14:28:78:2D:xx:xx:xx
tomcat, 28-Jul-2016, trustedCertEntry,
Certificate fingerprint (SHA1): xx:F6:D6:xx:B5:3A:xx:2B:96:xx:C4:02:6F:1D:6A:B5:0C:xx:xx:xx
 
C:\Program Files (x86)\Java\jre1.8.0_31\bin>

 

 

I've then edited the server.xml and restarted Tomcat service:

 

<Connector server="OtherWebServer" port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore" keystorePass="hello" keyAlias="tomcat"/>
 
 
Now I just get nothing :( When browsing https://av.mydomain.com/eraChrome sits for a few seconds and then tells me that the site isn't responding.
 
I'm not familiar with Tomcat (as you can tell!) but in the default configuration it doesn't seem to log anything.
 
Do you have any further thoughts please?
 
Sorry be asking so many questions, but I suspect I'm not the only user who would like the option of a commercial cert.
 
Many thanks
 
 
 
Jim
Link to comment
Share on other sites

I notice that with my alternative keystore line in the config:

 

<!--
<Connector server="OtherWebServer" port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\.keystore" keystorePass="xxx" keyAlias="tomcat"/>
-->
<Connector server="OtherWebServer" port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore" keystorePass="xxx" keyAlias="tomcat"/>
 
after a restart of tomcat nothing is listening on 443. So Tomcat is objecting to something, either in that config or in the keystore.
Link to comment
Share on other sites

  • ESET Staff

Yes, it is most probably not able to start because of changes. Please check tomcat logs located somewhere around - it may indicate exact error, which will be most probably wrong password or certificate type.

When I am looking on keytool command you used, my guess is that there is missing private key password (i.e. -keypass "hello" is missing in second keytool) - I hope there will be some details about startup failure ...

Link to comment
Share on other sites

  • Solution

Result!!!!!!!!

 

Google eventually found this for me

 

https://forum.eset.com/topic/4986-era-v6-webconsole-ssl-certificate/

 

 

So, the steps which worked are as follows:

 

Create the keystore, using the unaltered bundle file supplied from positiveSSL
keytool -import -alias root -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore" -trustcacerts -file "C:\Temp\star.mydomain.com.ca-bundle" -storepass "hello" -keypass "hello"
 
 
Combine the cert and private key
openssl pkcs12 -export -in star.mydomain.com.crt -inkey star.mydomain.com.key -out star.mydomain.com.p12 -name tomcat
 
 
Import the certificate
keytool -importkeystore -deststorepass "hello" -destkeystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\JimESET.keystore" -srckeystore "C:\Temp\star.mydomain.com.p12" -srcstorepass "hello" -srcstoretype PKCS12 -alias tomcat
 
 
Martin - thank you!!! You steered me onto the right track. I think the ultimate mistake was me missing "-name tomcat" when I generated my p12 file.
 
 
 
 
Jim
Edited by jimwillsher
Link to comment
Share on other sites

  • 7 months later...

I am posting what I did to import an existing wildcard cert (from rapidssl, if it makes a difference) because I found little info on it. This was done on a Windows 2012R2 box.

So, if you are using a wildcard certificate to secure your ERA server you'll need to create a JKS keystore for tomcat to use. You do not need to create a new keystore with a CSR because the private key already exists.

You will need:
- All of your applicable intermediate certs (.crt files)
- Your wildcard cert (.crt file)
- Your private key (.key file)

Combine your intermediate certs into a ca-bundle taking care of their hierarchal order. You can use any n*x machine for this. Or a text editor in Windows. The concept is the same. Now, assuming they are all in your working directory:

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > mydomain.com.ca-bundle

On any n*x machine with openssl installed convert your cert, private key, and ca-bundle into a pkcs12 file. I did this on a 10.11.6 OS X machine running openssl v0.9.8zh. Now, assuming files are all in your working directory:

openssl pkcs12 -export -in your-wildcard-cert.crt -inkey private.key -out "/path/to/your-new-pkcs12-file.pkcs12" -name tomcat -CAfile mydomain.com.ca-bundle -caname root

On the tomcat server, "import" the pkcs12 file by converting it to a JKS file. for simplicity I put the JKS file in the tomcat directory. This command is run from the JRE bin directory whose exact location will vary depending on the Java version installed:

keytool -importkeystore -srckeystore "C:\path\to\your-new-pkcs12-file.pkcs12" -srcstoretype PKCS12 -destkeystore "C:\Program Files\Apache Software Foundation\Tomcat 7.0\your-new-JKS-file.jks"

On tomcat server open tomcat's server.xml file for editing (for me it was C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\Server.xml). Edit the "keystoreFile" parameter with the path to your jks file and the "keystorePass" parameter with the jks keystore password.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...