Importing same SSL certificate into multiple cluster Symantec Encryption Management (or PGP) Servers

book

Article ID: 158352

calendar_today

Updated On:

Products

Encryption Management Server

Issue/Introduction

There are multiple Symantec Encryption Management Servers (SEMS) in a cluster and all of the servers must use the same certificate on the interface. 

The main reason for having the same SSL certificate added to each node is in Round Robin DNS or Load Balancing scenarios.  For example, a client is resolved via DNS to keys.domain.dom and due to RR DNS or Load Balancing being used, the connection is then redirected to one of several nodes.  If the connection is redirected to a node and the host associated to the certificate does not match the host DNS resolved, a certificate warning will be displayed.

If a Certificate Signing Request has been submitted, only one certificate is returned and can be imported on only one cert.  Although this can only be imported on one server to complete the CSR process, the certificate can then be exported from the Symantec Encryption Management Server and then imported to the other cluster nodes.
 

Because the signed request from the Certificate Authority can be imported on only one server, upon attempting to upload the signed certificate to other nodes, the following error may be displayed:

"Invalid or Missing Certificate" error displayed when trying to load the certificate onto the servers that did not generate the CSR.

Cause

The CSR includes a unique private key to identify the individual certificate. The machines that did not generate the CSR do not have this private key, and consequently they cannot import the certificate.
 

Resolution

Option 1 (Recommended):
An easy workaround to this requirement, is to upload the signed request to the server in which the CSR was started, and import it.  Typically, the certificate awaiting the signed request is in a "Pending" state.  After the certificate is imported, the Pending state will go away, and the certificate is then considered valid.

If it is necessary to use the same certificate on all the other cluster nodes for each Symantec Encryption Management Server, simply click on the Certificate in System\Network\Certificates, and export the keypair.   Once the entire keypair is exported, simply import to the other nodes in the same location.


Option 2:
Although, it would be rare the above steps would not work, the following is an alternative to this.  Contact Symantec Support if the above steps does not work before attempting to go through the steps below:

Use SSH to access the machine that the certificate is successfully imported to - this machine must also have the certificate you want assigned to a network interface.  Go to the directory /etc/httpd/conf and view the files there.  All the certificates that are assigned to interfaces will have a .key and .crt file here.  (The main filenames will be a key ID.  For example, you may see something like 0xA123456789012345.key and 0xA123456789012345.cer for filenames.)

If you have multiple certificates, you will see multiple keyid files.  To find the correct one, use the following command on each file until you locate the one you need:

openssl x509 -in [keyid].crt -issuer -subject -dates -fingerprint -noout


Once you have determined the correct file keyid, view the file contents of both the .crt and the .key files:
cat [keyid].crt [keyid].key

(Example: cat 0xA123456789012345.cer 0xA123456789012345.key)


(Alternately, you can use SCP to transfer the files to your local machine and view them.)

Copy the contents of both the key and crt files.

System > Network > Certificates (button at bottom) > Add Certificates (button at bottom) > Import (button at lower left).   Choose the radio button for "Import Certificate Block".  In the text window, paste in the output from the key and crt files.  The output from both files goes into the this text block.

Click the "Import" button in the lower right.  After doing this, you will be returned to the Certificates list and will see your new certificate there (or you will see an error regarding why it could not be imported).

 

 

[NOTE: The system sometimes seems to be sensitive to empty lines.  It is recommended that no empty lines exist before or after the entry, and no empty lines between the key and certificate info. ]