How to Install a proper SSL Certificate for the WebGUI

slamar001 · ‎02-03-2016

Good Morning,

I am looking for information on installing a proper SSL certificate issued by my companies internal CA. Could someone please post the steps I need to take to accomplish this please? The reason this is needed is so my collector can be brought up to current compliance standards set forth by my companies security department.

Any and all help is greatly appreciated.

Thank You,

Stephen

Lynden Price · ‎02-22-2016

Hello,

First, generate the private key and .csr file on the CSPC using this command:

# openssl req -new -newkey rsa:2048 -nodes -keyout test.key -out test.csr

This will create a private key file called test.key and a csr called test.csr

Using these two files, generate the certificate using the following command:

# openssl pkcs12 -export -in test.crt -inkey test.key > test.p12

This will produce a certificate called test.p12

Next update the CSPC keystore with the new certificate using this command:

# keytool -importkeystore -srckeystore test.p12 -alias tomcat -destkeystore $CSPCHOME/webui/tomcat/conf/cspcgxt -srcstoretype pkcs12 -storepass cspcgxt

The exact details of what needs to be done can vary and the formatting of the commands is important, so please let me know if this doesn't work or if you run into any issues, and paste in exactly what error messages you get if you anything pops up. It can be a bit tricky to remove keys if you mess up, so if it looks like something didn't work, please post again here so I can walk you through what needs to be done.

Thanks,

Lynden

rtanap · ‎05-19-2022

Hi,

I was following the instructions but. I was having this error.

Importing keystore test.p12 to /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt...

keytool error: java.io.IOException: Invalid keystore format

And I am no longer able to access the webUI. Please kindly assist on how to fix access.

Thank you.

vivekcha@cisco.com · ‎05-20-2022

Hi rtanap,

We are looking into the issue and will get back to you with an update.

Thanks and Regards,
Vivek Chauhan

vivekcha@cisco.com · ‎05-20-2022

Hi rtanap,

Please share the user's CCO id and company name in private message.

Thanks and Regards,
Vivek Chauhan

don.click1 · ‎04-05-2023

surprised this has not been asked- but if I want to use an external CA, like DigiCert?

secureB00T · ‎04-11-2023

Exactly, I'm trying to do the same. I was able to go through this documentattion CSPC User-Guide , Appendix F. However, it shows you steps for a self-signed cert. I went through all steps successfully but after restarting the service and launching the website from the browser, it still shows as "not trusted". We have an internal trusted CA, and i want to know how to generate the signed cert out of the .key and .csr files generated from the CSP Collector.

Anyone have any insight? Should I just combine both keys and submit it to the CA to generate the cert? Or is it just the .csr file that's needed?

ibaenadi · ‎10-26-2023

The certificate that you generated from the .key and .csr files is not signed by your internal trusted CA, but by yourself. This means that the certificate is self-signed and not recognized by your browser as valid. To generate a signed certificate from your internal trusted CA, you need to submit the .csr file to the CA and obtain a signed certificate in PEM format.

The certificate that you installed on the CSPC server is not trusted by your browser because it is not in the browser’s trust store. This means that your browser does not have the root or intermediate certificates of your internal trusted CA in its list of trusted authorities. To fix this, you need to import the root and intermediate certificates of your internal trusted CA into your browser’s trust store.

don.click1 · ‎04-14-2023

anyone?