Sec/User Mgmt: Step 3. Import Server Certificate and Trusted CA Certificate 78412

Document created by RSA Information Design and Development on Jun 25, 2017Last modified by RSA Information Design and Development on Aug 28, 2017
Version 3Show Document
  • View in full screen mode
  

By default Security Analytics server uses a web server certificate generated by Security Analytics for HTTPS connection. Security Analytics also allows you to configure custom web server certificate to be used as Security Analytics server certificate. You can configure custom web server certificate even if PKI is not enabled.

Supported Certificate Formats

The following certificate formats are supported. You must select the format that meets your requirement:

  • For server certificate with its private key:
    • pkcs12 or .p12 
    • jks
    • pfx   
  • For trusted CA certificate:
    • pkcs12 or .p12 
    • jks 
    • pfx
    • pem
    • crt
    • der
    • cer

Note: The .pfx, .p12, .jks are containers that can contain one or more private keys and its chains or certificates. PEM is a BASE64 encoded certificate that can contain multiple certificates.

Note: The alias name for a Security Analytics server certificate cannot contain the following Brace Characters: [ ] { } ( ) < > or the characters & (ampersand) ! (exclamation point) or | (pipe).

Procedures

(Optional) Create a Certificate Signing Request (CSR) and Certificate Store for Jetty Certificate

The CSR can be submitted to the Certificate Authority (CA) Server to get the Server Certificate based on the CSR created. Once the certificate is created, these steps will help you to package the Private Key and the Signed Certificate that can be uploaded to Security Analytics Server to be used as a Server Certificate. If a Server Certificate has already been created (along with its private key), you can skip these steps and upload the certificate to the Security Analytics Server.

Perform the following steps to create a CSR for Jetty Certificate:

  1. Change the directory to /root:
    cd /root
  2. Create a new directory:
    mkdir sa_pki_server_cert
  3. Change the directory to the newly created directory:
    cd sa_pki_server_cert
  4. Create a Private Key of 2048 Bits:
    openssl genrsa -out sa_server_pki_private_key.key 2048
  5. Create a CSR:
    openssl req -new -nodes -out server_cert_request.csr -newkey rsa:4096 -keyout sa_server_pki_private_key.key -config <ssl_conf_file>
    And, the ssl_conf_file (for example, openssl.cnf), contains:
    subjectAltName = @alt_names
    In the alt_names section, provide the domain names that you want to use with SSL.
    For example,
    DNS.1 = <domain1>
    DNS.2 = <domain2> and so on.
  6. Check that the CSR and Private Key match.
    openssl req -noout -modulus -in server_cert_request.csr | openssl md5
    openssl rsa -noout -modulus -in sa_server_pki_private_key.key | openssl md5

    An example output is:
    [root@ABCD open_ssl_test]# openssl rsa -noout -modulus -in server_private.key | openssl md5
    (stdin)= 88df3d1ea5b2f411712b96d2ed4a72f5
    [root@ABCD open_ssl_test]# openssl req -noout -modulus -in server_cert_request.csr | openssl md5
    (stdin)= 88df3d1ea5b2f411712b96d2ed4a72f5

Note: Ensure you make a note of both the stdin's.

  1. Submit the CSR to a CA and get a signed certificate.
  2. Copy the Certificate in PEM format to the newly created directory:
    /root/sa_pki_server_cert/signed_certificate.pem
  3. Check that the certificate that you receive from CA has the correct public key and it matches the above two outputs. If they do not match, you might have omitted the previous steps.
    openssl x509 -noout -modulus -in certificate.crt | openssl md5

Note: You can use the xca tool to complete these steps.

For example:
[root@ABCD open_ssl_test]# mv test.crt certificate.crt
[root@ABCD open_ssl_test]# openssl x509 -noout -modulus -in certificate.crt | openssl md5
(stdin)= 3e2f4bbd1f32ae097902afcc1893089e
[root@ABCD open_ssl_test]# openssl rsa -noout -modulus -in sa_server_pki_private_key.key | openssl md5
(stdin)= 3e2f4bbd1f32ae097902afcc1893089e
[root@ABCD open_ssl_test]# openssl req -noout -modulus -in server_cert_request.csr | openssl md5
(stdin)= 3e2f4bbd1f32ae097902afcc1893089e
  1. Copy the Private Key and Certificate to a Key Store.
    openssl pkcs12 -export -descert -name <myservercert> -in signed_certificate.pem -inkey sa_server_pki_private_key.key -out keystore.p12
  2. Provide a password, for example sa, to the Key Store.

Import SA Server Certificate with its Private Key

  1. In the Security Analytics menu, select  Administration > Security.
    The Security view is displayed with the Users tab open.
  2. Click the Settings tab.
  3. In the Server Certificates section, click .
    The Import Server Certificates dialog is displayed.
  4. In the Keystore/Certificate File field, click Browse and select the certificate store.
  5. In the Password field, enter the password of the certificate store.
  6. (Optional) If the user certificate and Security Analytics server certificate are issued by the same CA, select the Import CAs checkox.
  7. Click Save.
    The Security Analytics server certificate with its private key is successfully added to Security Analytics.

Note: You can import multiple server certificates with its private keys.

Note: The Import Server Certificates dialog may not close on some browsers, however, the import will be        successful. To view the imported certificate, refresh the page.

  1. To specify a default server certificate, select a certificate and click Use as Server Certificate.
    The selected server certificate is highlighted in red.
  2. You must SSH the Security Analytics server and run the following command:
  3. puppet agent -t

    This will automatically update the jetty-ssl.xml file with the appropriate server certificate.

  4. Restart the Jetty service for changes to take effect.

Import Trusted CAs

  1. In the Security Analytics menu, select  Administration > Security.
    The Security view is displayed with the Users tab open.
  2. Click the PKI Settings tab.
  3. In the Trusted CAs section, click .
    The Import Certificate Authority dialog is displayed.

  4. In the CA Store File field, click Browse and select the certificate or certificate store.
  5. In the Password field, enter the password of the certificate or certificate store.
  6. Note: The password is applicable only for .pkcs12 or .p12, .pfx, and .jks certificate store formats.

  7. If you already have an existing CA file with the same name as the one that you are importing, and you want to overwrite it and take the new CA file, select the Overwrite Existing Entries checkbox.
  8. Click Save.
    The CA certificate is successfully added to the Security Analytics Trusted CAs store.

 

You are here
Table of Contents > Set Up System Security > Step 5. (Optional) Use Custom Server Certificate

Attachments

    Outcomes