Sec/User Mgmt: (Optional) Use a Custom Server Certificate

Document created by RSA Information Design and Development on Apr 11, 2019Last modified by RSA Information Design and Development on Jan 30, 2020
Version 5Show Document
  • View in full screen mode
 

NetWitness Platform also allows you to configure custom web server certificate to be used as NetWitness Server certificate. By default NetWitness Server uses a web server certificate generated by NetWitness Platform for HTTPS connection. You can configure custom web server certificate even if PKI is not enabled.

Supported Keystore Formats

You must select the format that meets your requirement. The following keystore formats are supported:

  • For server certificate with its private key:
      • pfx/pkcs/p12 (PKCS8/PKCS12 are the standards)
      • jks (JKS standard)

Note: The .pfx, .p12 and .jks are containers that can contain one or more private keys and its corresponding chains or certificates.

(Optional) Create a Certificate Signing Request (CSR) and Certificate Store for a Server Certificate

Note: The steps provided in this procedure allows you to create a CSR and Certificate Store for a Server Certificate.

If a server certificate is already created along with its private key, you can directly upload the certificate to the NetWitness Server. If the server certificate is not created, based on the CSR created, the CSR can be submitted to the Certificate Authority (CA) server to obtain a server certificate. Once the certificate is created, perform the following steps to package the private key and the signed certificate that must uploaded to the NetWitness Server to be used as a server certificate.

To create a CSR for a Server Certificate:

1. Change the directory to /root:

cd /root

2. Create a new directory:

mkdir nw_pki_server_cert

3. Change the directory to the newly created directory:

cd nw_pki_server_cert

4. Create a Private Key of 2048 Bits:

openssl genrsa -out nw_server_pki_private_key.key 2048

5. Create a CSR:

openssl req -new -sha256 -key nw_server_pki_private_key.key -out server_cert_request.csr

For example, if country: US, location: RT, and unit: RSA.

CN: ABCD (Hostname or IP Address of the Machine)

For multiple names, use values such as : CN=ABCD, CN=10.XX.XXX.XX

email: example@rsa.com

6. Check the CSR and Private Key match.

openssl req -noout -modulus -in server_cert_request.csr | openssl md5

openssl rsa -noout -modulus -in sa_server_pki_private_key.key | openssl md5

For example:

[root@ABCD open_ssl_test]# openssl rsa -noout -modulus -in server_private.key | openssl md5

(stdin)= 88df3d1ea5b2f411712b96d2ed4a72f5

[root@ABCD open_ssl_test]# openssl req -noout -modulus -in server_cert_request.csr | openssl md5

(stdin)= 88df3d1ea5b2f411712b96d2ed4a72f5

Note: You make a note of both stdin's.

7. Submit the CSR to the CA and get a signed Server Certificate.

8. Copy the certificate in PEM format to the new directory:

/root/nw_pki_server_cert/signed_certificate.pem

9. Check the certificate for the correct public key.

openssl x509 -noout -modulus -in certificate.crt | openssl md5

For example :

[root@ABCD open_ssl_test]# mv test.crt certificate.crt

[root@ABCD open_ssl_test]# openssl x509 -noout -modulus -in certificate.crt | openssl md5

(stdin)= 3e2f4bbd1f32ae097902afcc1893089e

[root@ABCD open_ssl_test]# openssl rsa -noout -modulus -in sa_server_pki_private_key.key | openssl md5

(stdin)= 3e2f4bbd1f32ae097902afcc1893089e

[root@ABCD open_ssl_test]# openssl req -noout -modulus -in server_cert_request.csr | openssl md5

(stdin)= 3e2f4bbd1f32ae097902afcc1893089e

10. Copy the Private Key and Certificate to a Key Store.

openssl pkcs12 -export -descert -name <myservercert> -in signed_certificate.pem -inkey nw_server_pki_private_key.key -out keystore.p12

11. Enter the keystore password, for example NetWitness@123, to the Keystore.

Import an NW Server Certificate with its Private Key

  1. Go to Admin > Security.
    The Security view is displayed with the Users tab open.
  2. Click the PKI Settings tab.
  3. In the Server Certificates section, click The add icon.
    The Import Server Certificates dialog is displayed.

  4. In the Keystore/Certificate File field, click Browse and select the keystore.
  5. In the Password field, enter the keystore password.
  6. In the Appliance To Use field, select the appliance for which you want to use this certificate.
  7. (Optional) Select the Overwrite Existing Entries checkbox to overwrite the entries of the certificate that is already added.
  8. Click Save.
    The NetWitness Server certificate with its private key is successfully added to NetWitness Platform.

Note: When the certificate is being applied on the selected appliance, no other operation on PKI can be performed until the process is completed.
Double-click on the added entries to view the details of the certificate.

  1. To apply the server certificate on a server, select a certificate and click .

Note: Uploading a keystore will add the server certificate and its private key locally. To apply a server certificate on a server, you need to select a server certificate and click the synchronization button .
All server certificates are also synchronized on the appliances when PKI is enabled.

You are here
Table of Contents > Set Up System Security > (Optional) Use a Custom Server Certificate

Attachments

    Outcomes