Unable to get signed cert to work on Security Analytics

Article Id: 169319
Status: Published
Updated On: 13-05-2017 12:33
Legacy Id: TECH246197
Products:
Security Analytics
Issue/Introduction:

After following the steps in the Web Admin guide to update the server certificate with a signed certificate, the GUI will not accept the new certificate.  It does not give an error, but after clicking Save, the old certificate is still in place.  Following the CLI steps does not work either.  Restarting the httpd service also does not make a difference.  

Cause:

The /etc/httpd/conf.d/ssl.conf file was pointing to the wrong crt files.  A snippet of the conf file showed the following:

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/solera.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/solera.key

solera.crt and solera.key are deprecated files that should not be used in the latest versions of Security Analytics.

Resolution:

​Modify the the ssl.conf file and make sure the correct paths to the crt and key files are listed.  They should look as follows:

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Make sure you restart the web server by running service httpd restart after making the modification.