The first phase is to request an SSL certificate from the certification authority by using the IIS management console:
- Login to a server that has IIS installed. Navigate to: Start menu > Internet Information Services (IIS) Manager.
- Expand the tree under the server name and Web Sites. Right click on a site (Default Web Site can be used) and click Properties.
- Go to the Directory Security tab and click on Server Certificate.
- Select the Create a new certificate option and click Next. Select the option to send the request immediately to an online CA.
- Enter any name for the certificate and ensure the Bit Length is set to 1024 bits; click Next.
- Fill in your Organization and Organization Unit information and click Next.
- On this screen you must fill in the host name that clients will use to access Reporter/IIS. If clients use the server's IP address, then fill in the IP address. Click Next when done.
- Fill in the geographical information and click Next. On the next screen, enter the Reporter SSL port number (8082 by default) and click Next.
- Select the Certification Authority to use to generate the certificate. Click Next and review the information. When satisfied, click Next again.
- At this point, the certification authority generates and signs a new SSL certificate and this certificate is installed for use by IIS.
The next phase is to export the SSL certificate and private key and convert them into a format that is usable by Reporter:
- Navigate to Start > Run; type in mmc and press Enter.
- Navigate to File > Add/Remove Snap-in and click Add. Select the Certificates snap-in and click Add.
- Select Computer Account and click Next. Select Local Computer and click Finish.
- Click Close and then click OK.
- Expand the tree under Certificates and click the Personal folder.
- Right-click the certificate that was just generated and select All Tasks > Export.
- A wizard displays. Click Next and select the option to export the private key.
- Under the Personal Information Exchange option, select the Include all certificates in the certification path if possible option.
- Clear the Enable strong protection option and ensure that the option to delete the private key is not selected. Then, click Next.
- Enter in a password to be used to protect the certificate and private key and click Next.
- Select a location to save the PFX file and click Next, then click Finish. A message pops up stating that the export was successful.
The exported PFX file now must be converted into a format that is readable by Reporter. OpenSSL is included with Reporter and can be used to perform these steps.
- Copy the exported PFX file to the SSL folder within Reporter's installation directory.
Example: C:\Program Files\Blue Coat Reporter 9\utilities\ssl
- Open up a command prompt and change directory to C:\Program Files\Blue Coat Reporter 9\utilities\ssl.
- Run openssl on the command line to extract the private key, and the cert file.
# Export the private key file from the pfx file
openssl pkcs12 -in filename.pfx -nocerts -out key.pem
# Export the certificate file from the pfx file
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
# This removes the passphrase from the private key
openssl rsa -in key.pem -out server.key
- This leaves you with two files usable by Reporter: cert.pem and server.key.
The final step is to configure Reporter to use the exported and converted SSL certficate and private key.
- Login to the Reporter user interface and navigate to Administration > General Settings > System Settings > Server Settings.
- Under Protocol, select the HTTPS option. Ensure the port number matches the port number that was configured for the SSL certificate.
- Under Certificate, select the Enter Certificate option.
- Locate and select the certificate file that was generated in the previous step: cert.pem.
- Locate and select the private key file: server.key.
- Test the certificate and key to ensure Reporter can read them.
- Save the changes and restart the Reporter service.
Reporter now uses the Windows CA generated certificate.
Clients that are a member of the Windows domain will trust this certificate and will not pop up warning messages.
LINKS TO OTHER RELEVANT ARTICLES:
Creating a Certificate Signing Request (CSR) for Reporter 9.x: 000008805