|Applies To||RSA Product Set: Web Threat Detection|
RSA Product/Service Type: Forensics User Interface (FUI)
RSA Version/Condition: 6.x
|Issue||Users are receiving an error when trying to access the RSA Web Threat Detection UI. They may ask, "How do you add a signed Certificate from the Customer organization (versus using the built in system certificates) to my WTD User interface?"|
|Resolution||Adding Certificates for WebUI |
PKI (and thus CA-signed keys) are only necessarily as a way of verifying trust where the client does not already have the public key of the server, such as for web browsing. (An individual's browser cannot have the public key/certificate for every web server on the internet, so it uses the CA certificate as a middle-man for the trust relationship).
If you want a CA-signed key for the web server, you can change this. Follow the steps below:
Create SSL Certificate for Admin Interface (optional, but removes SSL cert errors when accessing) :
1. Create a new key, and then generate a CSR (Certificate Signing Request) with that key from a shell prompt :
openssl genrsa -out HOSTNAME.key 2048
openssl req -new -key HOSTNAME.key -out HOSTNAME.csr
Note that the "State" in the request must be fully spelled out (eg, "California") whilst the country should be just the 2 letter code ("US").
2. Send the CSR to your preferred Certificate Signing Authority (CA), and request the signed certificate be generated in "PEM" format (sometimes called "Apache" or "OpenSSL" format).
3. Once the CSR has been signed by the CA, you will receive 2 files back - the signed cert (.crt or .pem) and one or more Intermediate certificates, often as a "bundle". These two files need to be merged into a single file with the signed certificate first (the .crt) followed by any intermediate certificates (or the "bundle")
4. Put the key generated above and the signed certificate/intermediates into the directory /var/opt/silvertail/certs, overwriting the files already in that directory that match the hostname on the system.
5. Restart SiteProxy :
6. Browse to the Admin UI and confirm that the correct certificate is presented.