Create a signed certificate for the management interface in Management Center (MC)

book

Article ID: 170702

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

Management Center (MC) uses the self-signed certificate on the management web interface by default. If you wish to create a signed certificate this has to be done off the box as MC cannot create the key pair and the Certificate Signing Request (CSR).

With self-signed certificate the customer gets the browser error complaining about the untrusted certificate.

Note:  commands presented on this article is applicable on 1.11.x or below.   For Management Center running version 2.x or above, please see Article 184735


Cause

All browsers come with a certificate trust store that has all public root Certificate Authorities (CA). Since the MC certificate is self-signed the customer can eliminate the browser untrusted certificate issue by using a certificate signed by their trusted CA.

Resolution

  1. Create keyring in OpenSSL: openssl genrsa -out mc.key 2048
  2. Create the Certificate Signing Request (CSR) in OpenSSL: openssl req -new -sha256 -key mc.key -out mc.lab.local.csr
  3. One thing to note is that the Common Name (CN)  field should be matching to either the FQDN or the IP address of the MC, depending how you are going to access it.
  4. Sign with the internal CA; add the Subject Alternate Name (SAN) for for Chrome support - TECH246317. If you do not add the SAN chrome will fail the certificate check:
  5. An even easier option if the CA is Microsoft CA, is to simply add the string in the attribute box during the Web Enrollment as described by Microsoft
  6. Take the signed certificate and the mc.key and create a .pfx: openssl pkcs12 -inkey mc.key -in mc.lab.local.crt -export -out mc.lab.local.pfx
  7. Import the cert into MC: security ssl import server-certificate (supported schemas include ftp;scp;http;https)ftp://x.x.x.x/path/certificate.pfx

 

 

Enter server username (optional): admin

Enter server password:

Downloading certificate...

220 Microsoft FTP Service

331 Password required for admin.

230 User logged in.

257 "/" is current directory.

250 CWD command successful.

229 Entering Extended Passive Mode (|||58051|)

200 Type set to I.

213 3005

125 Data connection already open; Transfer starting.

226 Transfer complete.

Enter the certificate's password:

Inspecting certificate file...

 

Please verify this is the correct certificate to import:

 

------------------Output omitted for brevity--------------

Extensions:

 

#1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false

0000: 1E 12 00 57 00 65 00 62   00 53 00 65 00 72 00 76  ...W.e.b.S.e.r.v

0010: 00 65 00 72                                        .e.r

 

 

#5: ObjectId: 2.5.29.37 Criticality=false

ExtendedKeyUsages [

  serverAuth

]

 

#6: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

  DigitalSignature

  Key_Encipherment

]

 

#7: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

  DNSName: mc.lab.local

  DNSName: mc.lab.local

]

 

------------------Output omitted for brevity--------------

 

Are you sure you want to import this certificate and make it the

appliance's SSL certificate? [y/N]

Importing certificate...

Certificate imported.

 

8. Verify that the certificate is present:

Management Center# security ssl view server-certificate

Name: defaultcertkey
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=10.91.17.106, OU=0801418817, O=Blue Coat Management Center
Issuer: CN=10.91.17.106, OU=0801418817, O=Blue Coat Management Center
Serial number: ea3014fd27d456cb
Valid from: Thu Dec 28 15:22:20 UTC 2017 until: Sat Dec 28 15:22:20 UTC 2019

Certificate fingerprints:
         MD5:  4C:B0:41:11:50:9E:F7:76:A1:9D:7D:E3:45:F4:4F:A2
         SHA1: E4:09:42:AC:DB:C2:AE:6F:F0:5E:92:09:36:40:4A:8D:48:7F:52:F1
         SHA256: 94:8F:43:20:05:24:00:4C:4B:66:2B:2F:53:AB:A7:3E:C2:76:6D:39:54:54:E0:69:E0:38:9B:94:BB:0E:E5:49
         Signature algorithm name: SHA256withRSA
         Version: 3
Management Center#

9. Add the Root CA that signed it:

Management Center# security ssl import external-certificate lab.local.cer ftp://Enter server username (optional): admin
Enter server password:
Downloading certificate...
220 Microsoft FTP Service
331 Password required for admin.
230 User logged in.
257 "/" is current directory.
250 CWD command successful.
229 Entering Extended Passive Mode (|||56109|)
200 Type set to I.
213 1261
125 Data connection already open; Transfer starting.
226 Transfer complete.
Inspecting certificate file...

Please verify this is the correct certificate to import:

      
------------------Output omitted for brevity--------------


Are you sure you want to import this as a trusted certificate? [y/N]
Importing certificate...
Certificate imported.

10. Restart the web-management service: Management Center# restart services

*NOTE - the certificate will not show but will be there- you confirm this by navigating to the MC.

Management Center# security ssl list server-certificates

The following server certificates have been installed:

defaultcertkey

 

11. Verify that the server and external (root) certificates have been imported.

Management Center# security ssl list external-certificates all

Use space bar to show more.

 

 

 

.

 

 

Attachments