on 11-02-2014 09:40 AM
Being a network engineer who focuses primarily in security, I always dislike using self-signed certificates. Often customers don't want to purchase a proper certificate from a well-known public Certificate Authority (CA). However, the Prime Infrastructure I am working on currently was at a customer who had a nice 5-year wildcard certificate issued by GoDaddy. The documentation was a bit ambiguous on this approach although a PI 1.4 discussion here in CSC seemed to indicate it might be possible to use such a certificate.
I was able to follow the procedure in the PI 2.1 Admin Guide to successfully import and use a CA-issued wildcard certificate with unencrypted private key where the original CSR was not generated by the Prime Infrastructure server.
Note: My original private key was encrypted so I used openssl and the passpharase to get a plaintext version of the private key. Be VERY careful to protect that private key as it is used to properly secure every server in your infrastructure that's using the wildcard certificate.
Prime needs to be defined with a record in your DNS serving the domain in the wildcard certificate. In my case I am using both an A record and cname alias (with PTR for reverse lookups of course!).
Following a server restart the wildcard certificate appears fine in Chrome, Firefox and IE when I browse to https://prime.<my_customer's_domain>. Now there are no more annoying security messages (or need to install and trust the self-signed certificate to avoid them).
Below are the commands I used. You would need to have your own certificate and keyfile. My certificate includes the full chain - server certificate, intermediate certificate and root certificate in that order.
Hope this helps others facing the same situation. Enjoy!
p.s. I was able to use the same certificate and keyfile to similarly secure the Prime Security Manager (PRSM). The PRSM User Guide kindly explains to concatenate the server and issuing CA certificates together and exposes the installation process in its GUI so the process was a bit less command line-intensive.
p.p.s UPDATE Dec 2015 - You can also use this procedure on PI 3.x. Note that you can use a remote repository with an ftp URL and thus save the step of doing a separate ftp copy.
PI01/admin# copy ftp://192.168.254.7/privatekeyplaintext.pem disk: Username: admin Password: PI01/admin# copy ftp://192.168.254.7/gd_bundle-g2-g1.crt disk: Username: admin Password: PI01/admin# PI01/admin# root Enter root password : Starting root bash shell ... ade # pwd /root ade # ade # cd .. ade # ade # cd localdisk ade # ls -al total 68 drwxr-xr-x 8 root root 4096 Nov 2 09:51 . drwxr-xr-x 28 root root 4096 Oct 28 11:22 .. lrwxrwxrwx 1 root root 20 Jul 14 13:11 crash -> /opt/CSCOlumos/crash drwxr-xr-x 2 root root 4096 Jul 15 23:31 defaultRepo drwxr-xr-x 2 root root 4096 Jul 14 13:10 ftp -rw-rw-rw- 1 root gadmin 6710 Nov 2 09:51 gd_bundle-g2-g1.crt drwx------ 2 root root 16384 Apr 17 2014 lost+found -rw-rw-rw- 1 root gadmin 1679 Nov 2 09:50 privatekeyplaintext.pem drwxr-xr-x 2 root root 4096 Jul 14 13:10 ssh drwxr-xr-x 2 root root 4096 Jul 14 13:10 telnet drwxr-xr-x 2 root root 12288 Nov 2 09:57 tftp ade # ade # mv ./gd_bundle-g2-g1.crt ./defaultRepo ade # mv ./privatekeyplaintext.pem ./defaultRepo ade # ade # exit exit PI01/admin# show repository defaultRepo PI01-140715-0330.tar.gpg PI01-140716-0330.tar.gpg gd_bundle-g2-g1.crt privatekeyplaintext.pem PI01/admin# PI01/admin# ncs key importcacert wildcardcert gd_bundle-g2-g1.crt repository defaultRepo INFO: no staging url defined, using local space. rval:2 truststore used is /opt/CSCOlumos/conf/truststore The NCS server is running Changes will take affect on the next server restart Importing certificate to trust store PI01/admin# PI01/admin# ncs key importkey privatekeyplaintext.pem gd_bundle-g2-g1.crt repository defaultRepo INFO: no staging url defined, using local space. rval:2 INFO: no staging url defined, using local space. rval:2 truststore used is /opt/CSCOlumos/conf/truststore The NCS server is running Changes will take affect on the next server restart Importing RSA key and matching certificate PI01/admin# PI01/admin# ncs stop Stopping Network Control System... This may take a few minutes... Network Control System successfully shutdown. Plug and Play Gateway is being shut down..... Please wait!!! Stop of Plug and Play Gateway Completed!! SAM daemon process id does not exist DA daemon process id does not exist DA syslog daemon process id does not exist PI01/admin# ncs start Starting Network Control System... This may take a few minutes... Network Control System started successfully. PI01/admin#
Awesome Marvin! Very useful! Thanks for your unsolicited contribution. :-)
Cheers..
Vinod
Nice. Thanks for sharing.
Hi
I am facing some issues while i am following the procedure
how do i get this file generated
privatekeyplaintext.pem
It needs to be retrieved from the server that generated the initial Certificate Signing Request (CSR).
The exact process varies according to the type of host that was.
Hi Marvin
Mine is a Prime Infrastrcuture 3.0.2 VM. Is the procedure mentioned somewhere ?
The certificates are coming ( the CA) from godaddy. Supported formats are apache and tomcat , with SSL certificate and root certificate
If you generated the CSR from Prime Infrastructure, the private key is already the server's private key and you can ignore the step of having to import it separately.
In my use case, the CSR had been generated on a separate server and thus I had to extract and import it into the Prime Infrastructure server.
Same is the case in my use case as well - the certificate is shared the security team- it is a wild card certificate . It is not generated from Prime Infrastructure. I followed the below steps
Copied the gd_bundle-g2-g1.crt to defaultrepo
admin# copy ftp://myftpserver/gd_bundle-g2-g1.crt disk:defaultRepo
Imported it using import key command
admin# ncs key importcacert wildcardcert gd_bundle-g2-g1.crt repository defaultRepo
Restarted the server for the change to take place
admin# ncs stop
admin# ncs start
i do not know how do i get and where do i get the key from (
privatekeyplaintext.pem - the one mentioned in your post)
To use a wildcard certificate you need the plaintext private key. As I noted, the normal practice is that It needs to be retrieved from the server that generated the initial Certificate Signing Request (CSR).
If you do not have access to that system, then any other system that is currently successfully using the private key can also be used.
The most common method is to extract it using openssl. The openssl utilitiy (open source download) syntax will vary according to the OS and server type where you are currently using the certificate. It is well documented in the openssl help syntax and there are numerous Internet postings on using it.
Update - same procedure still works with Prime Infrastructure 3.1.
The only exception is that we now use the "shell" command vs. the older style "root" to drop into the Linux OS.
Also note that Prime Infrastructure's Linux includes the necessary OpenSSL binaries and associated libraries so you can do any needed key transforms on the server itself.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: