Solved: Re: Wildcart certs for UCSD appliance?

snoopj123 · ‎05-13-2015

Been trying to find the answer to this for a while now, but haven't been able to get anywhere with it.

We have a wildcart SSL certificate that we tend to use around here and I was wondering if the UCSD Tomcat service, along with the VNC service are able to use a wildcard certificate?

The documentation about adding certificates doesn't mention anything specific about wildcard certs, although, I haven't really had a chance to test this in the lab either (other things taking higher priority).

Anyone know?

snoopj123 · ‎06-24-2015

I took my PEM file (which worked out great for the VNC service).

I then followed this website -> Convert your wildcard SSL to JKS (Java Keystore) Format | Sononaco

Ended up being pretty easy to create the JKS file and then import the certificate without an issue. I did have a LOT of problems creating the JKS file without following those steps in that website.

--j

View solution in original post

snoopj123 · ‎05-29-2015

I've found you can do use wildcard certificates. Since the main web component is Tomcat, I was able to find some instructions on how to setup wildcard certs with Tomcat and apply them to the UCSD appliance.

--j

amerzec2015 · ‎06-24-2015

Hi,

I am trying to install SSL certificates on the appliance for the HTTPS access. Initially I tried option 13) on the appliance, however the certificate wasn't showing up on the web after restarting all UCSD services. This was my attempt with PEM file.

After WebEx with CISCO support, I was advised to try JKS file. I got message saying "Certificate imported successfuly" with additional log about changes in Tomcat server.xml file. However, when I hit my website for UCSD with HTTPS, now it won't even load with default certificate...

Any help is appreciated if you did it - no matter if your certificate is with wildcard or not....

P.S. The documentation about SSL certificate importing is very bad.

Kind Regards

snoopj123 · ‎06-24-2015

I took my PEM file (which worked out great for the VNC service).

I then followed this website -> Convert your wildcard SSL to JKS (Java Keystore) Format | Sononaco

Ended up being pretty easy to create the JKS file and then import the certificate without an issue. I did have a LOT of problems creating the JKS file without following those steps in that website.

--j

snoopj123 · ‎06-24-2015

In the website, the key was the conversion of the PEM file using openssl and turning into PKCS12 format. Each time I tried any other conversion without running openssl, tomcat would never launch on port 443.

--j

amerzec2015 · ‎06-24-2015

Hi,

Thanks for the directions. Finally I did it...

This is the guideline missing in the docs:

1. Option 12 on the Shell Menu is the right one – „Import CA Cert (JKS) File“

2. One needs to have following:

signed certificate file < myservercert >.crt (in PEM format
intermetiate certificates file < intcacerts >.crt (in PEM format)
private key file < private >.key (in PEM format)

3. To be able to import JKS to Tomcat, one needs to generate PKCS12 format certificate first. This is the command:
openssl pkcs12 -export -in <myservercert>.crt -inkey <private>.key -certfile <intcacerts>.crt -name „<aFriendlyName>“ -out <keyandcerts>.p12

4. P12 file which was generated in step 3. needs to be converted in Java Key Store (JKS) file. This is the command:

/opt/bin/jre/bin/keytool -importkeystore -srckeystore <keyandcerts>.p12 -srcstoretype PKCS12 -destkeystore <myserverJKS>.jks

5. JKS file which was generated in step 4. needs to be imported to the keystore where Tomcat application server can find it when it deploys application. This is done through option 12) -„Import CA Cert (JKS) File“ on the Shell Menu. What this internally does is download of the JKS file, and moves it to the Tomcat-local keystore. This keystore is on this path:
/opt/infra/web_cloudmgr/apache-tomcat/keystore/

After that, appliance backs up old server.xml descriptor file and creates new one under path:
/opt/infra/web_cloudmgr/apache-tomcat/conf/server.xml

6. Done !!!

Kind Regards

snoopj123 · ‎06-26-2015

Good to hear the article came in handy to solve the problem. I did have some conversation with some of the UCSD team (through e-mail, after I posed the question to them on whether we could use wildcard certs) and they mentioned something about providing better instructions and more options (like being able to create the PEM file, rather than assuming you have it already created before starting the process).

Let's hope in future versions they resolve some of these idiosyncrasies with certificate import.