000023693 - How to Install a Third Party Certificate into RSA enVision

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000023693
Applies ToRSA Product Set: enVision
RSA Product/Service Type: enVision
RSA Version/Condition: 3.7.x, 4.x
IssueHow to Install a Third Party Certificate into enVision
Certificate Error
CauseSecure administration of enVision can be achieved by using HTTPS to connect to the administration GUI (by default this will be https://server:8443/login.jsp ) and the system uses a default keypair preconfigured. It is possible to replace the pre-supplied keypair with a unique keypair which is then site specific.
If the default keypair is used then when you connect with a browser to the admin GUI you will get a certificate error as a warning. You may still proceed to the admin GUI remembering that the default key is being used.
ResolutionTo install your own, site specific, keypair you should carry out the following steps:
1. Backup the existing keystore file.
Login to the enVision server (A-Srv for LS, or ES) using the master account.
cd /d %_envision%\conf
copy .keystore original.keystore

2. Generate a keystore certificate file.
..\jdk\jre\bin\keytool -genkey -keyalg RSA -keystore .keystore -validity 365 -alias tomcat -storepass enVision -keypass enVision
What is your first and last name?
  [Unknown]: hostname
What is the name of your organizational unit?
What is the name of your organization?
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit?
Is <CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown> correct
  [no]:  yes

The -keypass and -storepass passwords are both “enVision”, and must not be changed.
The example shows a certificate -validity of 365 days (1 year), this value can be changed to something appropriate for your environment.
The first and last name is the machines hostname (without spaces and is case-sensitive).  See the hostname from the output of the command, ipconfig /all |findstr Host
3. Create a certificate signing request (csr) file.
..\jdk\jre\bin\keytool -certreq -keyalg RSA -file certreq.csr -keystore .keystore -alias tomcat -keypass enVision -storepass enVision

4. (Optional) You can look at the content of the created certificate signing request (csr) text file, certreq.csr
For example:
type certreq.csr

5. Send the certreq.csr file to the third party you have chosen to sign the certificate, this may be an external company, or an internal certificate authority (CA).
In return, you will receive a number of certificates either as files or sometimes as an email listing with the locations to download the certificates.
Be sure to ask for a server certificate (at least TLS web server authentication, and SSL server extensions enabled). You should have at least two certificates files, often three or more.
6. The CA signs your request, encrypts it with a private key, and sends you a validated certificate.
The CA also sends you a root CA certificate and, if applicable, an intermediate CA certificate.
Copy all the CA certificate files to the enVision server %_envision%\conf directory.
7. Install the root certificate first, using the password of “enVision”, and answering yes when the certificate details are displayed, and when asked to add the certificate to the keystore.
..\jdk\jre\bin\keytool -import -trustcacerts -alias root -keystore .keystore -file location_of_root_cert.crt -storepass enVision
Owner: CN=Production2048, OU=CSAU, O=RSA, C=AU, EMAILADDRESS=user@company.com
Issuer: CN=Production2048, OU=CSAU, O=RSA, C=AU, EMAILADDRESS=user@company.com
Serial number: 5ba1b42e6157511b406fefb3c524dc8e
Valid from: Tue Dec 18 10:38:01 EST 2007 until: Sun Jan 02 10:54:13 EST 2011
Certificate fingerprints:
         MD5:  40:75:C1:EB:D0:26:4E:C9:9B:59:6D:58:F8:2F:6D:BE
         SHA1: 07:EF:D7:0D:35:0B:31:49:DE:20:0A:B7:8C:B9:28:B3:C0:CC:D2:2E
Trust this certificate? [no]:  yes
Certificate was added to keystore

Any intermediate certificate must be installed next, using password of “enVision”, for example here are two intermediate certificates, and different alias names are invented for each one (the actual alias name for these is unimportant).
..\jdk\jre\bin\keytool -import -alias inter1 -keystore .keystore -file intermediate1.crt -storepass enVision
Certificate was added to keystore
..\jdk\jre\bin\keytool -import -alias inter2 -keystore .keystore -file intermediate2.crt -storepass enVision
Certificate was added to keystore

8. Install the signed server certificate, using password of “enVision”, and answering yes when asked to add the certificate to the keystore.
..\jdk\jre\bin\keytool -import -alias tomcat -keystore .keystore -file server.crt -storepass enVision -keypass enVision
Certificate reply was installed in keystore

9. Copy \jdk\jre\bin\.keystore to the %_envision%\conf directory.
copy %_envision%\jdk\jre\bin\.keystore %_envision%\conf

10. The root Certification Authority (and also the intermediate, if present) certificate has to be uploaded in the Microsoft computer trust store.
In Windows select, Start -> Run -> enter mmc -> OK
Click File -> Add/Remove Snap-In -> select Certificates -> click Add
Select Computer Account -> Next -> Finish -> OK
From the Console Root open Certificates, and Trusted Root Certification Authorities
Right-click Certificates -> All Tasks -> Import -> Next
Browse to the CA Root certification file
Next -> Next -> Finish
Exit the mmc, and select not to save console settings.

11. Stop and restart the NIC Web Server service.
Note: Stopping the NIC Web Server service will result in the NIC Alerter service been stopped.
So after the NIC Web Server service returns to a “Started” state, restart the NIC Alerter service.
The installation is complete.
Legacy Article IDa36779