000033460 - Using Certificates Generated from a Third Party Certificate Authority with RSA ECAT

Document created by RSA Customer Support Employee on Jul 6, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000033460
Applies ToRSA Product Set: ECAT
RSA Product/Service Type: ECAT
RSA Version/Condition: 4.X
Platform: Windows
 
IssueYou want to use your own certificates with ECAT and not use the ones generated by the installer.
TasksNote the actual steps you will use will depend upon your own Certificate Authority. This article shows the steps taken with a Microsoft 2008 Certificate Authority. 
First install the product so that the self generated ECAT Certificates have been installed. We will replace them with our own generated certificates.
  1. In Microsoft CA generate a ECAT Server Certificate Template with the following attributes:
It is important the the Private Key is marked as Exportable and that the Server Authentication application policy is selected.
 

User-added image
 

User-added image
 

User-added image
 

User-added image
User-added image
User-added image
 

      2. Repeat the process to create a ECAT Client Certificate Template. The important part is again to make sure that the private key is marked as exportable and that the application policy is "Client Authentication".
      3. Make sure that you can issue certificates with these templates.

      4. On the ECAT Machine open up the MMC Console and the certificate MMC Add In for the current user and also the Local Computer. Request new Certificates using ECAT Server and ECAT Client Certificate Templates
          that you created in steps 1) and 2) above. It will be necessary to request the certificate as the local user.
 

User-added image
 

User-added image

      5. For the Subject Name of the Server Certificate you can put any name eg " ECAT Server"
 
User-added image

      6. For the ECAT Client specify a client name as "ECAT CLIENT"

User-added image

      7. Enrol to receive your certificates
 
User-added image

      8. The requested certificates will appear in the Current User personal Certificate Store.
 
User-added image

      9. Copy the certificates

User-added image
 

      10. Paste the certificates into the Local Computer Personal Certificate Store.

User-added image


User-added image

      11. Edit the consoleServer.exe.config file with your new settings:
 
 Replace the values as follows:


<add key="LocalHttpsServerCert" value="ECAT SERVER"></add>

<add key="LocalHttpsServerCertHash" value="fe035236b5ce9430625275f6b2e7b2104ef8d0e"></add>

<add key="LocalHttpsClientCert" value="Ecat Client"></add>


 Note the Thumbprint is the thumbprint value of the ECAT SERVER certificate. The names of the certificates are case sensitive and must match exactly.

      12. Restart the ECAT Console Service and verify the the service starts and is listening.
      13. Chose these certificates in the Agent Packager and Test the Connection.
 
User-added image

Attachments

    Outcomes