05-31-2016 06:36 AM - edited 02-21-2020 05:49 AM
Good day. I work in a high security network and after recently installing CSM 4.11 on Windows Server 2012 R2 I need to install a 3rd party SSL certificate to remediate a vulnerability with CSM using a self-signed cert; our security requirements state we must use a trusted ssl certificate from a 3rd party such as Verisign, GoDaddy, etc.
I searched Cisco's documentation, as well as this forum, for a procedure for installing a 3rd party SSL cert, but couldn't find anything, but I do have a procedure from Apache; which is the web engine CSM utilizes. Does anyone know if all I need to do is follow Apache's procedure to install the 3rd party certificate on CSM? Thank you.
05-31-2016 10:41 PM
After completing SSL purchase process, you need to install an SSL Certificate on your server. You can find SSL installation guidelines from official website of your Certificate Authority where you buy from.
You can also get SSL installation tutorial at one place where you can find step by step guidelines to Install SSL Certificate from different server at single place.
AboutSSL.org is an informative site where users can easily get information regarding SSL Certificates such as Types of SSL, SSL Installation Tutorials, SSL Videos, SSL Certificate Reviews, Compare SSL Certificates etc. at free.
You can find your SSL Installation Solution at here - https://aboutssl.org/how-to-install
06-01-2016 10:29 AM
Thank you for the reply, however, since CSM integrates Apache into the application, I was looking for something specifric for CSM in the event the application handles certificate differently than a stand-alone Apache server. What I've found out is that the certificates can be updated with the same procedure as with a stand-alone Apache web server. The easiest way I found to install the new certificate, specifically for Cisco Security Manager 4.11 SP1, is as follows:
Note for Reference:
<VirtualHost _default_:443>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
SSLEngine on
SSLCertificateFile conf/ssl/server.crt
SSLCertificateKeyFile conf/ssl/server.key
SSLCertificateChainFile conf/ssl/chain.cer
...
</VirtualHost>
SSLCertificateFile: This should point to your server certificate
SSLCertificateKeyFile: This should point to your server's private key
SSLCertificateChainFile: This should point to the intermediate certificate
02-17-2017 04:59 AM
I've successfully replaced the built-in cert and key with an externally-generated and trusted one. Apache loads, and I can bring up the management web page without any certificate errors.
So far, so good...
The problem arises when trying to use the Cisco Security Manager client application. Configuration Manager loads, and shows all the folder trees previously configured, but does not show any firewalls in any folder; the window is empty.
Restoring the original cert and key corrects the problem, and the firewalls are once again visible in CSM.
There is a brief note in the Troubleshooting / Client Problems After Installtion section of the Installation Guide: "What is wrong with my authentication setup if my login credentials are accepted without any error message when I try to log in with Security Manager Client, but the Security Manager desktop is
blank and unusable?"
The suggested answer is: "You did not finish all the required steps for Cisco Secure ACS to provide login authentication services for Security Manager and Common Services. Although you entered login credentials in ACS, you did not define the Security Manager server as a AAA client. You must do so, or you cannot log in. See the ACS documentation for detailed instructions."
That's all well and good, but we're not - yet - using ACS for CSM authentication. At the moment we're using local accounts in CSM.
Is that Troubleshooting note relevant or a red herring? If we're going to add our own cert and key to CSM do we then have to use ACS? Or is something else causing a blank CSM window if we've installed our own cert and key?
05-23-2017 09:09 AM
I'm on a different version, but I don't think this has changed. I think the above process is missing two steps. Take a look at CSCOpx\MDC\Apache\gencert.bat, specifically the last two lines.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide