cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2331
Views
1
Helpful
6
Replies

Wildcart certs for UCSD appliance?

snoopj123
Level 4
Level 4

Been trying to find the answer to this for a while now, but haven't been able to get anywhere with it.

We have a wildcart SSL certificate that we tend to use around here and I was wondering if the UCSD Tomcat service, along with the VNC service are able to use a wildcard certificate?

The documentation about adding certificates doesn't mention anything specific about wildcard certs, although, I haven't really had a chance to test this in the lab either (other things taking higher priority).

Anyone know?

1 Accepted Solution

Accepted Solutions

I took my PEM file (which worked out great for the VNC service).

I then followed this website -> Convert your wildcard SSL to JKS (Java Keystore) Format | Sononaco

Ended up being pretty easy to create the JKS file and then import the certificate without an issue.  I did have a LOT of problems creating the JKS file without following those steps in that website.

--j

View solution in original post

6 Replies 6

snoopj123
Level 4
Level 4

I've found you can do use wildcard certificates.  Since the main web component is Tomcat, I was able to find some instructions on how to setup wildcard certs with Tomcat and apply them to the UCSD appliance.

--j

Hi,

I am trying to install SSL certificates on the appliance for the HTTPS access. Initially I tried option 13) on the appliance, however the certificate wasn't showing up on the web after restarting all UCSD services. This was my attempt with PEM file.


After WebEx with CISCO support, I was advised to try JKS file. I got message saying "Certificate imported successfuly" with additional log about changes in Tomcat server.xml file. However, when I hit my website for UCSD with HTTPS, now it won't even load with default certificate...

Any help is appreciated if you did it - no matter if your certificate is with wildcard or not....

P.S. The documentation about SSL certificate importing is very bad.

Kind Regards

I took my PEM file (which worked out great for the VNC service).

I then followed this website -> Convert your wildcard SSL to JKS (Java Keystore) Format | Sononaco

Ended up being pretty easy to create the JKS file and then import the certificate without an issue.  I did have a LOT of problems creating the JKS file without following those steps in that website.

--j

In the website, the key was the conversion of the PEM file using openssl and turning into PKCS12 format.  Each time I tried any other conversion without running openssl, tomcat would never launch on port 443.

--j

Hi,

Thanks for the directions. Finally I did it...

This is the guideline missing in the docs:

1.       Option 12 on the Shell Menu is the right one – „Import CA Cert (JKS) File“

2.       One needs to have following:

    • signed certificate file  < myservercert >.crt (in PEM format
    • intermetiate certificates file < intcacerts >.crt (in PEM format)
    • private key file < private >.key (in PEM format)

3.      To be able to import JKS to Tomcat, one needs to generate PKCS12 format certificate first. This is the command:
        openssl pkcs12 -export -in <myservercert>.crt -inkey <private>.key -certfile <intcacerts>.crt -name „<aFriendlyName>“ -out <keyandcerts>.p12

4.       P12 file which was generated in step 3. needs to be converted in Java Key Store (JKS) file. This is the command:

   /opt/bin/jre/bin/keytool -importkeystore -srckeystore <keyandcerts>.p12 -srcstoretype PKCS12 -destkeystore <myserverJKS>.jks

5.      JKS file which was generated in step 4. needs to be imported to the keystore where Tomcat application server can find it when it deploys application. This is done through option 12) -„Import CA Cert (JKS) File“ on the Shell Menu. What this internally does is download of the JKS file, and moves it to the Tomcat-local keystore. This keystore is on this path:
     
/opt/infra/web_cloudmgr/apache-tomcat/keystore/

After that, appliance backs up old server.xml descriptor file and creates new one under path:
  /opt/infra/web_cloudmgr/apache-tomcat/conf/server.xml

6.       Done !!!

Kind Regards

Good to hear the article came in handy to solve the problem.  I did have some conversation with some of the UCSD team (through e-mail, after I posed the question to them on whether we could use wildcard certs) and they mentioned something about providing better instructions and more options (like being able to create the PEM file, rather than assuming you have it already created before starting the process).

Let's hope in future versions they resolve some of these idiosyncrasies with certificate import.

Review Cisco Networking for a $25 gift card

Cisco UCS X-Series Energy Efficiency Offer