Sec/User Mgmt: Step 3. Import Server Certificate and Trusted CA Certificate

Document created by RSA Information Design and Development on Mar 23, 2017Last modified by RSA Information Design and Development on Apr 7, 2017
Version 2Show Document
  • View in full screen mode
  

By default Security Analytics server uses a web server certificate generated by Security Analytics for HTTPS connection. Security Analytics also allows you to configure custom web server certificate to be used as Security Analytics server certificate. You can configure custom web server certificate even if PKI is not enabled.

Supported Certificate Formats

The following certificate formats are supported. You must select the format that meets your requirement:

  • For server certificate with its private key:
    • pkcs12 or .p12 
    • jks
    • pfx   
  • For trusted CA certificate:
    • pkcs12 or .p12 
    • jks 
    • pfx
    • pem
    • crt
    • der
    • cer

Note: The .pfx, .p12, .jks are containers that can contain one or more private keys and its chains or certificates. PEM is a BASE64 encoded certificate that can contain multiple certificates.

Procedures

(Optional) Create a Certificate Signing Request (CSR) and Certificate Store for Jetty Certificate

Note: The optional steps provided in the procedure will allow you to create a CSR and Certificate Store for Jetty Certificate.

The CSR can then be submitted to the Certificate Authority (CA) Server to get the Server Certificate based on the CSR created. Once the certificate is created, these steps will help you to package the Private Key and the Signed Certificate that can be uploaded to Security Analytics Server to be used as Server Certificate. In case, Server Certificate is already created along with its private key, we can skip these steps and directly proceed to upload it to the Security Analytics Server.

Perform the following steps to create a CSR for Jetty Certificate:

1. Change the directory to /root:

cd /root

2. Create a new directory:

mkdir sa_pki_server_cert

3. Change the directory to the newly created directory:

cd sa_pki_server_cert

4. Create a Private Key of 2048 Bits:

openssl genrsa -out sa_server_pki_private_key.key 2048

5. Create a CSR:

openssl req -new -sha256 -key sa_server_pki_private_key.key -out server_cert_request.csr

For example, If country: IN (India), location: BLR (Bengaluru), organization: EMC, and unit: RSA.

CN: ABCD (Hostname or IP Address of the Machine)

For multiple names, use values such as : ABCD, CN=10.31.244.101

email: admin@emc.com

6. Check whether the CSR and Private Key matches.

openssl req -noout -modulus -in server_cert_request.csr | openssl md5

openssl rsa -noout -modulus -in sa_server_pki_private_key.key | openssl md5

An Example output is:

[root@ABCD open_ssl_test]# openssl rsa -noout -modulus -in server_private.key | openssl md5

(stdin)= 88df3d1ea5b2f411712b96d2ed4a72f5

[root@ABCD open_ssl_test]# openssl req -noout -modulus -in server_cert_request.csr | openssl md5

(stdin)= 88df3d1ea5b2f411712b96d2ed4a72f5

Note: Ensure you make a note of both the stdin's.

7. Submit the CSR to a CA and get a signed certificate.

8. Copy the Certificate in PEM format to the newly created directory:

/root/sa_pki_server_cert/signed_certificate.pem

9. Check whether the certificate that we got from CA has the correct public key and it matches with the above two outputs. If they are not matching, you would have missed out on the above steps.

openssl x509 -noout -modulus -in certificate.crt | openssl md5

Note: xca is an excellent tool to carry out the operations.

For example :

[root@ABCD open_ssl_test]# mv test.crt certificate.crt

[root@ABCD open_ssl_test]# openssl x509 -noout -modulus -in certificate.crt | openssl md5

(stdin)= 3e2f4bbd1f32ae097902afcc1893089e

[root@ABCD open_ssl_test]# openssl rsa -noout -modulus -in sa_server_pki_private_key.key | openssl md5

(stdin)= 3e2f4bbd1f32ae097902afcc1893089e

[root@ABCD open_ssl_test]# openssl req -noout -modulus -in server_cert_request.csr | openssl md5

(stdin)= 3e2f4bbd1f32ae097902afcc1893089e

10. Copy the Private Key and Certificate to a Key Store.

openssl pkcs12 -export -descert -name <myservercert> -in signed_certificate.pem -inkey sa_server_pki_private_key.key -out keystore.p12

11. Provide a password, for example sa, to the Key Store.

Import SA Server Certificate with its Private Key

  1. In the Security Analytics menu, select  Administration > Security.
    The Security view is displayed with the Users tab open.
  2. Click the Settings tab.
  3. In the Server Certificates section, click .
    The Import Server Certificates dialog is displayed.
  4. In the Keystore/Certificate File field, click Browse and select the certificate store.
  5. In the Password field, enter the password of the certificate store.
  6. (Optional) If the user certificate and Security Analytics server certificate are issued by the same CA, select the Import CAs checkox.
  7. Click Save.
    The Security Analytics server certificate with its private key is successfully added to Security Analytics.

Note: You can import multiple server certificates with its private keys.

Note: The Import Server Certificates dialog may not close on some browsers, however, the import will be        successful. To view the imported certificate, refresh the page.

  1. To specify a default server certificate, select a certificate and click Use as Server Certificate.
    The selected server certificate is highlighted in red.
  2. You must SSH the Security Analytics server and run the following command:
  3. puppet agent -t

    This will automatically update the jetty-ssl.xml file with the appropriate server certificate.

  4. Restart the Jetty service for changes to take effect.

Import Trusted CAs

  1. In the Security Analytics menu, select  Administration > Security.
    The Security view is displayed with the Users tab open.
  2. Click the Settings tab.
  3. In the Trusted CAs section, click .
    The Import Certificate Authority dialog is displayed.
  4. In the CA Store File field, click Browse and select the certificate or certificate store.
  5. In the Password field, enter the password of the certificate or certificate store.
  6. Note: The password is applicable only for .pkcs12 or .p12, .pfx, and .jks certificate store formats.

  7. Click Save.
    The CA certificate is successfully added to the Security Analytics Trusted CAs store.

 

You are here
Table of Contents > Set Up System Security > Step 5. (Optional Use Custom Server Certificate

Attachments

    Outcomes