Using private Signed SSL certificates with WCC / WebUI
Article ID: 39758
Updated On:
Products
Issue/Introduction
This document describes how to use private (internally signed) certificates with WCC.
Note:
Commercial Certificate Authorities (CA) like Verisign and Comodo no longer issue signed certificates for internal networks. Therefore a prerequisite to using this procedure is to have an internal CA setup. Clients (e.g. web browsers) should have the root and any intermediate certificates imported into their certificate store.
Environment
CA Workload Control Center # ALL Supported Version
Resolution
This scenario walks you through the process of requesting and using a privately signed certificate from a trusted certificate authority.
1. Login to the WCC host as the WCC software owner (e.g. wcc)
2. Set the Java environment On UNIX: JAVA_HOME=$CA_WCC_INSTALL_LOCATION/jre; export JAVA_HOME PATH=$JAVA_HOME/bin:$PATH; export PATH On Windows: set JAVA_HOME=%CA_WCC_INSTALL_LOCATION%\jre set PATH=%JAVA_HOME%\bin;%PATH%
3. Change directory to the keystore location
On UNIX: cd $CA_WCC_INSTALL_LOCATION/data/config
On Windows: cd %CA_WCC_INSTALL_LOCATION%\data\config
4. Copy the existing .keystore file to a backup location.
Example:
On UNIX: cp .keystore /var/tmp/
On Windows: copy .keystore %TEMP%
5. Delete the existing key in the keystore
keytool -delete -alias tomcat -keystore .keystore -storepass changeit
6. Create a new key:
keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit -keypass changeit -keysize 2048 -dname "cn=<hostname>" -ext san=dns:cn=<hostname> -validity <days>
where:
<hostname> the WCC hostname
<days> expiration period of the certificate in days (e.g. 5475 = 15 years)
NOTE: the dname here should have your Fully Qualified URL that your users would be using WCC URL with. example: -ext san=dns:<CNAME> for CNAME in DNS, you can add multiple CNAME values
Example (the double quotes around SAN are needed):
keytool -genkey -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit -keypass changeit -keysize 2048 -dname "cn=wcc.example.com,O=Your Company Inc,L=San Jose,S=California,C=US" -ext "SAN=DNS:wcc.example.com,DNS:wccserver1.example.com,DNS:wccserver2.example.com" -validity 365
7. Create the certificate signing request (CSR)
keytool -certreq -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit -file wcc.cert.req.csr -ext san=dns:cn=<hostname>
NOTE: During the generation of the CSR above, some certificate admins require you to provide additional stuff like Subject Alternate names example: -ext san=dns:<CNAME> for CNAME in DNS
Example:
keytool -certreq -alias tomcat -keyalg RSA -keystore .keystore -storepass changeit -file wcc.cert.req.csr -ext "SAN=DNS:wcc.example.com,DNS:wccserver1.example.com,DNS:wccserver2.example.com"
8. Have the certificate request signed by your internal CA
The internal CA will need to return the following in PEM format:
a. root certificate
b. any/all intermediate certificate(s)
c. the private (signed) certificate generated from the CSR
9. Import the root certificate. Enter ‘yes’ to trust the certificate.
keytool -importcert -alias RootCA -file <ca.cert.pem> -keystore .keystore -storepass changeit
<ca.cert.pem> is the root certificate received from the internal CA.
10. (Optional) Import any/all intermediate certificate(s)
keytool -importcert -alias IntermediateCA -file <intermediate.cert.pem> -keystore .keystore -storepass changeit
<intermediate.cert.pem> is the intermediate key received from the internal CA.
11. Import the private (signed) certificate
keytool -importcert -trustcacerts -file <wcc.cert.pem> -alias tomcat -keystore .keystore -storepass changeit
<wcc.cert.pem> is the Private Key received from the internal CA.
12. Restart WCC services
On UNIX:
unisrvcntr restart CA-wcc-services
On Windows:
Restart the CA-wcc-services service from Microsoft Windows Services Console.
IMPORTANT: Ensure that the root certificate and any intermediate certificates are imported into client (e.g. web browsers) certificate stores.
Additional Information
Feedback
