Replace LiveUpdate Administrator certificate

book

Article ID: 161578

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You want to replace the default self-signed certificate used by the LiveUpdate Administrator (LUA) server for HTTPS communications.

Resolution

The LUA Tomcat server uses a Java keystore (JKS) to securely house its public and private key pair. This file is password protected with a proprietary password. You must create a new JKS file, and generate or obtain a new certificate to replace the LUA certificate. LUA supports both self-signed certificates and Certificate Authority (CA) signed certificates.

Obtain a new certificate

Most large organizations have specific Public Key Infrastructure (PKI) requirements. Work with the PKI experts in your organization to determine what type of certificate you require: a self-signed certificate, an internal CA-signed certificate, or a public CA-signed certificate. Generate or obtain a new certificate based on your organizational requirements. If you have no organizational PKI requirements, you can use the Java keytool program to generate a new self-signed certificate, or leave the default self-signed certificate in place.

Generate a new JKS

  1. Use Java's keytool program, or to generate a key JKS file named server-cert.ssl
  2. Make note of the keystore password used when generating the JKS file.  

    Note: Avoid using the '&' character in your keystore password.  

note: For more information on the Java keytool, see Oracle's public documentation here: https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html

Import the new certificate

  1. Import the new LUA certificate using the same program used to generate the new JKS file
  2. For CA-signed certificates signed by an untrusted intermediary CA that chains to a trusted root CA, import the intermediary CA certificate(s)

Replace server-cert.ssl

  1. Save a backup copy of the original server-cert.ssl file (C:\Program Files (x86)\Symantec\LIveUpate Administrator\server-cert.ssl by default)
  2. Replace the original server-cert.ssl with the newly generated JKS file created above

Encrypt the keystore password

  1. Open a command-prompt as Administrator
  2. Change directories to the LUA WEB-INF library folder (C:\Program Files (x86)\Symantec\LiveUpdate Administrator\tomcat\webapps\lua\WEB-INF\lib by default)
  3. Run the following command:

    "C:\Program Files (x86)\Symantec\LiveUpdate Administrator\jre\bin\java.exe" -cp  ssl-lua.jar;commons-codec-1.10.jar;"C:\Program Files (x86)\Symantec\LiveUpdate Administrator\tomcat\lib\tomcat-util.jar" com.symantec.lua.SSLPasswordDecrypt <JKS Password>

  4. Copy the encrypted JKS password output by this command

Update catalina.properties

  1. Open catalina.properties (C:\Program Files (x86)\Symantec\LiveUpdate Administrator\tomcat\conf\catalina.properties by default) in a text editor
  2. Change the ks.password value to the new encrypted keystore password output in the previous steps
  3. Save the changes and restart the LUA Apache Tomcat service

Note: Customization of the LUA's default certificate is unsupported by Symantec support .