Reporter 9.x uses a self-signed SSL certificate. This causes client Web browsers to flag the certificate as untrusted and display a warning message to users.

To avoid this message, Reporter must be configured to use an SSL certificate that is signed by a trusted certification authority.

This article assumes that the environment used is a Windows-based domain, with an available certification authority (either root, or an intermediate), and that IIS is installed on a member server of this domain.

 Important: This process generates and installs a new SSL certificate for IIS. If you do not want to use this new certificate in IIS, back up your existing certificate and private key before attempting these steps.

The first phase is to request an SSL certificate from the certification authority by using the IIS management console:

1. Login to a server that has IIS installed. Navigate to: Start menu > Internet Information Services (IIS) Manager.
2. Expand the tree under the server name and Web Sites. Right click on a site (Default Web Site can be used) and click Properties.
3. Go to the Directory Security tab and click on Server Certificate.
4. Select the Create a new certificate option and click Next. Select the option to send the request immediately to an online CA.
5. Enter any name for the certificate and ensure the Bit Length is set to 1024 bits; click Next.
6. Fill in your Organization and Organization Unit information and click Next.
7. On this screen you must fill in the host name that clients will use to access Reporter/IIS. If clients use the server's IP address, then fill in the IP address. Click Next when done.
8. Fill in the geographical information and click Next. On the next screen, enter the Reporter SSL port number (8082 by default) and click Next.
9. Select the Certification Authority to use to generate the certificate. Click Next and review the information. When satisfied, click Next again.
10. At this point, the certification authority generates and signs a new SSL certificate and this certificate is installed for use by IIS.

The next phase is to export the SSL certificate and private key and convert them into a format that is usable by Reporter:

1. Navigate to Start > Run; type in mmc and press Enter.
2. Navigate to File > Add/Remove Snap-in and click Add. Select the Certificates snap-in and click Add.
3. Select Computer Account and click Next. Select Local Computer and click Finish.
4. Click Close and then click OK.
5. Expand the tree under Certificates and click the Personal folder.
6. Right-click the certificate that was just generated and select All Tasks > Export.
7. A wizard displays. Click Next and select the option to export the private key.
8. Under the Personal Information Exchange option, select the Include all certificates in the certification path if possible option.
9. Clear the Enable strong protection option and ensure that the option to delete the private key is not selected. Then, click Next.
10. Enter in a password to be used to protect the certificate and private key and click Next.
11. Select a location to save the PFX file and click Next, then click Finish. A message pops up stating that the export was successful.

The exported PFX file now must be converted into a format that is readable by Reporter. OpenSSL is included with Reporter and can be used to perform these steps.

1. Copy the exported PFX file to the SSL folder within Reporter's installation directory.
   Example: C:\Program Files\Blue Coat Reporter 9\utilities\ssl
2. Open up a command prompt and change directory to C:\Program Files\Blue Coat Reporter 9\utilities\ssl.
3. Run openssl on the command line to extract the private key, and the cert file.

   # Export the private key file from the pfx file
   openssl pkcs12 -in filename.pfx -nocerts -out key.pem
   # Export the certificate file from the pfx file
   openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
   # This removes the passphrase from the private key
   openssl rsa -in key.pem -out server.key
   

4. This leaves you with two files usable by Reporter: cert.pem and server.key.

The final step is to configure Reporter to use the exported and converted SSL certficate and private key.

1. Login to the Reporter user interface and navigate to Administration > General Settings > System Settings > Server Settings.
2. Under Protocol, select the HTTPS option. Ensure the port number matches the port number that was configured for the SSL certificate.
3. Under Certificate, select the Enter Certificate option.
4. Locate and select the certificate file that was generated in the previous step: cert.pem.
5. Locate and select the private key file: server.key.
6. Test the certificate and key to ensure Reporter can read them.
7. Save the changes and restart the Reporter service.

 Reporter now uses the Windows CA generated certificate.

Clients that are a member of the Windows domain will trust this certificate and will not pop up warning messages.

 LINKS TO OTHER RELEVANT ARTICLES:

Creating a Certificate Signing Request (CSR) for Reporter 9.x: 000008805