topic I'm on a different version, in Network Security

How to Install 3rd Party SSL Certificate on CSM

Jonathan Grant — Fri, 21 Feb 2020 13:49:55 GMT

Good day. I work in a high security network and after recently installing CSM 4.11 on Windows Server 2012 R2 I need to install a 3rd party SSL certificate to remediate a vulnerability with CSM using a self-signed cert; our security requirements state we must use a trusted ssl certificate from a 3rd party such as Verisign, GoDaddy, etc.

I searched Cisco's documentation, as well as this forum, for a procedure for installing a 3rd party SSL cert, but couldn't find anything, but I do have a procedure from Apache; which is the web engine CSM utilizes. Does anyone know if all I need to do is follow Apache's procedure to install the 3rd party certificate on CSM? Thank you.

After completing SSL purchase

aboutssl16 — Wed, 01 Jun 2016 05:41:35 GMT

After completing SSL purchase process, you need to install an SSL Certificate on your server. You can find SSL installation guidelines from official website of your Certificate Authority where you buy from.

You can also get SSL installation tutorial at one place where you can find step by step guidelines to Install SSL Certificate from different server at single place.

AboutSSL.org is an informative site where users can easily get information regarding SSL Certificates such as Types of SSL, SSL Installation Tutorials, SSL Videos, SSL Certificate Reviews, Compare SSL Certificates etc. at free.

You can find your SSL Installation Solution at here - https://aboutssl.org/how-to-install

Thank you for the reply,

Jonathan Grant — Wed, 01 Jun 2016 17:29:44 GMT

Thank you for the reply, however, since CSM integrates Apache into the application, I was looking for something specifric for CSM in the event the application handles certificate differently than a stand-alone Apache server. What I've found out is that the certificates can be updated with the same procedure as with a stand-alone Apache web server. The easiest way I found to install the new certificate, specifically for Cisco Security Manager 4.11 SP1, is as follows:

Obtain your CA certificate and private key files.
Rename the files as follows:

Certificate File = server.key
Private Key = server.crt
In most cases, you don't need to worry about the intermediate certificate.

As a precaution, you can backup the C:\Program Files (x86)\CSCOpx\MDC\Apache\conf\ssl directory. If there is an issue, you can revert back to the original cert and key
Copy the certificate and private key files to the \Apache\conf\ssl directory
Restart the CSM daemon (net stop crmdmgtd / net start crmdmgtd
Use a remote web browser to connect to CSM and validate the certificate
If you backed up the \Apache\conf\ssl directory, delete it at this time (shift-delete)

Note for Reference:

The Apache httpd.conf file is located here -> C:\Program Files (x86)\CSCOpx\MDC\Apache\conf\httpd.conf and the certificate pointers are located within the VirtualHost module; see below for example of module:

<VirtualHost _default_:443>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLEngine on
SSLCertificateFile conf/ssl/server.crt
SSLCertificateKeyFile conf/ssl/server.key
SSLCertificateChainFile conf/ssl/chain.cer
...
</VirtualHost>

The certificates and private keys are located here -> C:\Program Files (x86)\CSCOpx\MDC\Apache\conf\ssl directory

Further Explanation of SSL Certificate Pointers:

SSLCertificateFile: This should point to your server certificate
SSLCertificateKeyFile: This should point to your server's private key
SSLCertificateChainFile: This should point to the intermediate certificate

I've successfully replaced

Alex Morris — Fri, 17 Feb 2017 12:59:12 GMT

I've successfully replaced the built-in cert and key with an externally-generated and trusted one. Apache loads, and I can bring up the management web page without any certificate errors.

So far, so good...

The problem arises when trying to use the Cisco Security Manager client application. Configuration Manager loads, and shows all the folder trees previously configured, but does not show any firewalls in any folder; the window is empty.

Restoring the original cert and key corrects the problem, and the firewalls are once again visible in CSM.

There is a brief note in the Troubleshooting / Client Problems After Installtion section of the Installation Guide: "What is wrong with my authentication setup if my login credentials are accepted without any error message when I try to log in with Security Manager Client, but the Security Manager desktop is
blank and unusable?"

The suggested answer is: "You did not finish all the required steps for Cisco Secure ACS to provide login authentication services for Security Manager and Common Services. Although you entered login credentials in ACS, you did not define the Security Manager server as a AAA client. You must do so, or you cannot log in. See the ACS documentation for detailed instructions."

That's all well and good, but we're not - yet - using ACS for CSM authentication. At the moment we're using local accounts in CSM.

Is that Troubleshooting note relevant or a red herring? If we're going to add our own cert and key to CSM do we then have to use ACS? Or is something else causing a blank CSM window if we've installed our own cert and key?

I'm on a different version,

JONATHAN LUSKY — Tue, 23 May 2017 16:09:41 GMT

I'm on a different version, but I don't think this has changed. I think the above process is missing two steps. Take a look at CSCOpx\MDC\Apache\gencert.bat, specifically the last two lines.

run the openssl pkcs8 command to generate the server.pk8. You'll see a warning about missing openssl.conf--that's fine/expected.
copy the CA chain to chain.cer (the script copies the server.crt since it was self signed, but you'll want to put your actual CA cert/chain here instead)