How to replace the default Management Interface certificate with your own web server certificate signed by a Internal or Public CA on the DLP appliance..

book

Article ID: 169063

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

Replacing the Management Interface default certificate with your own web server certificate signed by a Internal or Public CA on the DLP appliance is a two-step process:
  1. Generate a CSR and a Private Key on the DLP appliance.
  2. Import/replace the default Management Interface certificate with your own web server certificate signed by a Internal or Public CA on the DLP appliance.

Resolution

  1. SSH to DLP: 
Login as dlpremote 
Loging as su 
browse to directory: cd /usr/share/tomcat60/conf/ 
Generate the Private RSA key : openssl genrsa -des3 -out example.key.com 2048 
Generate the Certificate Signing Request : openssl req -new -key example.key.com -out example.csr 
(Optional) Remove the pass phrase on the RSA private key: openssl rsa -in example.key.com -out example.key 

Get the csr out , you can use command : nano example.csr 
  1. After the previously generated CSR has been signed by an Internal Microsoft PKI or a Public CA , now you can import and replace the default Certificate on the DLP.
- Backup /usr/share/tomcat60/conf/mycert.p12.  
- Copy the new.p12 to mycert.p12. 
- Verify permissions are the same as the original mycert.p12 
- Edit /usr/share/tomcat60/conf/server.xml. Search for keystorePass, and edit the value that follows it to your p12 file password. 
- Restart tomcat. 
# cgnmgr restart tomcat