000034921 - How to add Certificates to the Forensics User Interface (FUI) for RSA Web Threat Detection

Document created by RSA Customer Support Employee on Nov 18, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000034921
Applies ToRSA Product Set: Web Threat Detection
RSA Product/Service Type: Forensics User Interface (FUI)
RSA Version/Condition: 6.x
IssueUsers are receiving an error when trying to access the RSA Web Threat Detection UI.  They may ask, "How do you add a signed Certificate from the Customer organization (versus using the built in system certificates) to my WTD User interface?"  
ResolutionAdding Certificates for WebUI   
PKI (and thus CA-signed keys) are only necessarily as a way of verifying trust where the client does not already have the public key of the server, such as for web browsing. (An individual's browser cannot have the public key/certificate for every web server on the internet, so it uses the CA certificate as a middle-man for the trust relationship).

If you want a CA-signed key for the web server, you can change this.  Follow the steps below: 

Create SSL Certificate for Admin Interface  (optional, but removes SSL cert errors when accessing) :

1.    Create a new key, and then generate a CSR (Certificate Signing Request) with that key from a shell prompt :

openssl genrsa -out HOSTNAME.key 2048

openssl req -new -key HOSTNAME.key -out HOSTNAME.csr

Note that the "State" in the request must be fully spelled out (eg, "California") whilst the country should be just the 2 letter code ("US").

2.    Send the CSR to your preferred Certificate Signing Authority (CA), and request the signed certificate be generated in "PEM" format (sometimes called "Apache" or "OpenSSL" format).

3.    Once the CSR has been signed by the CA, you will receive 2 files back - the signed cert (.crt or .pem) and one or more Intermediate certificates, often as a "bundle".  These two files need to be merged into a single file with the signed certificate first (the .crt) followed by any intermediate certificates (or the "bundle")

4.    Put the key generated above and the signed certificate/intermediates into the directory /var/opt/silvertail/certs, overwriting the files already in that directory that match the hostname on the system.

5.    Restart SiteProxy :

/etc/init.d/st-SiteProxy-0 restart

6.    Browse to the Admin UI and confirm that the correct certificate is presented.