02-03-2016 08:10 AM - last edited on 07-27-2018 11:11 AM by Cheri Fairbrother
Good Morning,
I am looking for information on installing a proper SSL certificate issued by my companies internal CA. Could someone please post the steps I need to take to accomplish this please? The reason this is needed is so my collector can be brought up to current compliance standards set forth by my companies security department.
Any and all help is greatly appreciated.
Thank You,
Stephen
02-22-2016 09:00 AM
Hello,
First, generate the private key and .csr file on the CSPC using this command:
# openssl req -new -newkey rsa:2048 -nodes -keyout test.key -out test.csr
This will create a private key file called test.key and a csr called test.csr
Using these two files, generate the certificate using the following command:
# openssl pkcs12 -export -in test.crt -inkey test.key > test.p12
This will produce a certificate called test.p12
Next update the CSPC keystore with the new certificate using this command:
# keytool -importkeystore -srckeystore test.p12 -alias tomcat -destkeystore $CSPCHOME/webui/tomcat/conf/cspcgxt -srcstoretype pkcs12 -storepass cspcgxt
The exact details of what needs to be done can vary and the formatting of the commands is important, so please let me know if this doesn't work or if you run into any issues, and paste in exactly what error messages you get if you anything pops up. It can be a bit tricky to remove keys if you mess up, so if it looks like something didn't work, please post again here so I can walk you through what needs to be done.
Thanks,
Lynden
05-19-2022 04:09 PM
Hi,
I was following the instructions but. I was having this error.
Importing keystore test.p12 to /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt...
keytool error: java.io.IOException: Invalid keystore format
And I am no longer able to access the webUI. Please kindly assist on how to fix access.
Thank you.
05-20-2022 05:25 AM
Hi rtanap,
We are looking into the issue and will get back to you with an update.
Thanks and Regards,
Vivek Chauhan
05-20-2022 12:36 PM
Hi rtanap,
Please share the user's CCO id and company name in private message.
Thanks and Regards,
Vivek Chauhan
04-05-2023 09:13 AM
surprised this has not been asked- but if I want to use an external CA, like DigiCert?
04-11-2023 09:17 AM
Exactly, I'm trying to do the same. I was able to go through this documentattion CSPC User-Guide , Appendix F. However, it shows you steps for a self-signed cert. I went through all steps successfully but after restarting the service and launching the website from the browser, it still shows as "not trusted". We have an internal trusted CA, and i want to know how to generate the signed cert out of the .key and .csr files generated from the CSP Collector.
Anyone have any insight? Should I just combine both keys and submit it to the CA to generate the cert? Or is it just the .csr file that's needed?
10-26-2023 12:17 PM
The certificate that you generated from the .key and .csr files is not signed by your internal trusted CA, but by yourself. This means that the certificate is self-signed and not recognized by your browser as valid. To generate a signed certificate from your internal trusted CA, you need to submit the .csr file to the CA and obtain a signed certificate in PEM format.
The certificate that you installed on the CSPC server is not trusted by your browser because it is not in the browser’s trust store. This means that your browser does not have the root or intermediate certificates of your internal trusted CA in its list of trusted authorities. To fix this, you need to import the root and intermediate certificates of your internal trusted CA into your browser’s trust store.
04-14-2023 06:39 AM
anyone?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide