This document will walk through the recommended way to generate a signed certificate and how to apply them to the Network Flow Analysis component of DX NetOps manually.

ApplyHTTPS can now do all of the below steps automatically in ApplyHTTPS 23.3.8+ with options 5 and 6.

Windows Server 2012+
NFA 9.3.3+

1. Open a command prompt on the NFA Console Server as an administrator from a folder called certs on root of you application drive. We will use the 'D' drive as an example.
   
   
2. Generate a keystore file using Java Keytool:
   
   D:/CA/NFA/jre/bin/keytool -genkey -alias nfa -storetype PKCS12 -keyalg RSA -keystore D:/CA/NFA/certs/keystore.pfx -keysize 2048
   
   (Make sure the first and last name is set to the DNS/FQDN of server and we will use 'changeit' as password example)
   
   
3.  Generate a CSR aka Certificate Signing Request using Java Keytool (substitute the below Subject Alternative Name info for your own):
   
   D:/CA/NFA/jre/bin/keytool -certreq -keystore D:/CA/NFA/certs/KEYSTORE -storepass changeit -ext SAN=dns:yourHost.yourDomain.net,dns:yourHostname -alias nfa -file D:/CA/NFA/certs/nfaCertRequest.csr
   
   
4. Provide the nfaCertRequest.csr file to your certificate / security team.
   
   
5. Download the signed certificate from your security team. Also ask them or download the full chain of certificates which include a root and all intermediate certificates.
   
   They should give you:
   1 x signed server cert files with a .PEM/.CRT/.CER extension.
   1 x root certificate with a .PEM/.CRT/.CER extension.
   1 (or more) x intermediate / issuing certificate with a .PEM/.CRT/.CER extension.
   
   
6. Import the root certificate into your Java CACERTS truststore:
   
   D:/CA/NFA/jre/bin/keytool -importcert -keystore D:/CA/NFA/jre/lib/security/cacerts -storepass changeit -alias root -file D:/CA/NFA/certs/rootCert.pem
   
   
7. Import the intermediate certificate into your Java CACERTS truststore:
   
   D:/CA/NFA/jre/bin/keytool -importcert -keystore D:/CA/NFA/jre/lib/security/cacerts -storepass changeit -alias int -file D:/CA/NFA/certs/intCert.pem
   
   
8. Import the signed server certificate into the KEYSTORE we created earlier:
   
   D:/CA/NFA/jre/bin/keytool -importcert -keystore D:/CA/NFA/certs/KEYSTORE -alias nfa -trustcacerts -file D:/CA/NFA/certs/signedNFAcert.pem -storepass changeit
   
   
9. Open IIS and on the left side pane, select the server name option under, "Start Page".
   
   
10. In the middle of the IIS window you can search for and double click on the "Server Certificates" feature.
    
    
11. On the right side pane select, "Import", and select the D:/certs/keystore.pfx file. Enter the "changeit" password we earlier used to generate the keystore. Leave 'Personal Store' selected.
    
    
12. Download the latest NFA: ApplyHTTPS Tool from the bottoms of the linked doc and:
    
    
    1. Download / copy to NFA Console and extract and run ApplyHTTPS.exe as admin. Select option (4) and then enter if you want to setup RIB/OData HTTPS. This requires the root and intermediate certificates to be installed in the NetOps Portal Java CACERTS truststore.
    2. Select option (1) for HTTPS
    3. Select option (2) for IIS option.
    4. Select option (1) for Personal Store (assuming that is where you imported it to)
    5. Select the right certificate and let the tool run.
       
       
13. If you want to go through the manual process of applying the certificates please see: NFA: Enable HTTPS on the Console
    
    
14. Go to the NetOps Portal and select Administration > Data Sources > Data Sources and edit the NFA data source.
    
    
15. If you selected option (4) in step 12.a, then set both the data source and web site to HTTPS/Port 443. Test and save the data source.
    
    
16. Try to see if the NFA website loads now by accessing: https://NFAServerName