Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Sec/User Mgmt: (Optional) Use a Custom Server Certificate

Document created by RSA Information Design and Development Employee on Apr 11, 2019Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 9Show Document
  • View in full screen mode
 
 

NetWitness Platform also allows you to configure custom web server certificate to be used as NetWitness Server certificate. By default NetWitness Server uses a web server certificate generated by NetWitness Platform for HTTPS connection. You can configure custom web server certificate even if PKI is not enabled.

Supported Keystore Formats

You must select the format that meets your requirement. The following keystore formats are supported:

  • For server certificate with its private key:
      • pfx/pkcs/p12 (PKCS8/PKCS12 are the standards)
      • jks (JKS standard)

Note: The .pfx, .p12 and .jks are containers that can contain one or more private keys and its corresponding chains or certificates.

(Optional) Create a Certificate Signing Request (CSR) and Certificate Store for a Server Certificate

Note: The steps provided in this procedure allows you to create a CSR and Certificate Store for a Server Certificate.

If a server certificate is already created along with its private key, you can directly upload the certificate to the NetWitness Server. If the server certificate is not created, based on the CSR created, the CSR can be submitted to the Certificate Authority (CA) server to obtain a server certificate. Once the certificate is created, perform the following steps to package the private key and the signed certificate that must uploaded to the NetWitness Server to be used as a server certificate.

To create a CSR for a Server Certificate:

1. Change the directory to /root:

cd /root

2. Create a new directory:

mkdir nw_pki_server_cert

3. Change the directory to the newly created directory:

cd nw_pki_server_cert

4. Create a Private Key of 2048 Bits:

openssl genrsa -out nw_server_pki_private_key.key 2048

5. Create a CSR:

openssl req -new -sha256 -key nw_server_pki_private_key.key -out server_cert_request.csr

For example, if country: US, location: RT, and unit: RSA.

CN: ABCD (Hostname or IP Address of the Machine)

For multiple names, use values such as : CN=ABCD, CN=10.XX.XXX.XX

email: example@rsa.com

6. Check the CSR and Private Key match.

openssl req -noout -modulus -in server_cert_request.csr | openssl sha256

openssl rsa -noout -modulus -in sa_server_pki_private_key.key | openssl sha256

For example:

[root@ABCD open_ssl_test]# openssl rsa -noout -modulus -in server_private.key | openssl sha256

(stdin)= 88df3d1ea5b2f411712b96d2ed4a72f5

[root@ABCD open_ssl_test]# openssl req -noout -modulus -in server_cert_request.csr | openssl sha256

(stdin)= 88df3d1ea5b2f411712b96d2ed4a72f5

Note: You make a note of both stdin's.

7. Submit the CSR to the CA and get a signed Server Certificate.

8. Copy the certificate in PEM format to the new directory:

/root/nw_pki_server_cert/signed_certificate.pem

9. Check the certificate for the correct public key.

openssl x509 -noout -modulus -in certificate.pem | openssl sha256

For example :

[root@ABCD open_ssl_test]# mv test.pem certificate.pem

[root@ABCD open_ssl_test]# openssl x509 -noout -modulus -in certificate.pem | openssl sha256

(stdin)= 3e2f4bbd1f32ae097902afcc1893089e

[root@ABCD open_ssl_test]# openssl rsa -noout -modulus -in sa_server_pki_private_key.key | openssl sha256

(stdin)= 3e2f4bbd1f32ae097902afcc1893089e

[root@ABCD open_ssl_test]# openssl req -noout -modulus -in server_cert_request.csr | openssl sha256

(stdin)= 3e2f4bbd1f32ae097902afcc1893089e

10. Copy the Private Key and Certificate to a Key Store.

openssl pkcs12 -export -descert -name <myservercert> -in signed_certificate.pem -inkey nw_server_pki_private_key.key -out keystore.p12

11. Enter the keystore password, for example NetWitness@123, to the Keystore.

Import an NW Server Certificate with its Private Key

  1. Go to (Admin) > Security.
    The Security view is displayed with the Users tab open.
  2. Click the PKI Settings tab.
  3. In the Server Certificates section, click The add icon.
    The Import Server Certificates dialog is displayed.

  4. In the Keystore/Certificate File field, click Browse and select the keystore.
  5. In the Password field, enter the keystore password.
  6. In the Appliance To Use field, select the appliance for which you want to use this certificate.
  7. (Optional) Select the Overwrite Existing Entries checkbox to overwrite the entries of the certificate that is already added.
  8. Click Save.
    The NetWitness Server certificate with its private key is successfully added to NetWitness Platform.

Note: When the certificate is being applied on the selected appliance, no other operation on PKI can be performed until the process is completed.
Double-click on the added entries to view the details of the certificate.

  1. To apply the server certificate on a server, select a certificate and click .

Note: Uploading a keystore will add the server certificate and its private key locally. To apply a server certificate on a server, you need to select a server certificate and click the synchronization button .
All server certificates are also synchronized on the appliances when PKI is enabled.

You are here
Table of Contents > Set Up System Security > (Optional) Use a Custom Server Certificate

Attachments

    Outcomes