search cancel

"Connection is not private" Error When Accessing WCC HTTPS URL from Chrome

book

Article ID: 8750

calendar_today

Updated On:

Products

CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) Workload Automation Agent

Issue/Introduction

When attempting to access the WCC HTTPS URL from Chrome, an error is displayed saying "Your connection is not private" and "NET::ERR_CERT_COMMON_NAME_INVALID". After clicking "Advanced", the following details about the error are displayed...

 

 

Cause

The error in Chrome occurs when the certificate obtained from a trusted certificate authority and installed into the WCC keystore does not contain a subjectAlternativeName extension. Starting with Chrome 58, only the subjectAlternativeName extension, not commanName, is used to match the domain name and site certificate.

 

Environment

Release: ATSYHA99000-11.3.6-Workload Automation AE-High Availability Option
Component:

Resolution

To resolve this issue, the current certificate must be replaced with a new certificate obtained from a trusted certificate authority that contains a subjectAlternativeName extension. The following are procedures that can be used to make this change. All commands need to be run on the WCC server(s).

 

1. Generate a Private Key and Self-Signed Certificate

Run the following commands in a shell window (on UNIX) or from a command prompt (on Windows) to delete the previous key...

UNIX:
$CA_WCC_INSTALL_LOCATION/jre/bin/keytool -delete -alias tomcat -keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore -storepass changeit

Windows:
%CA_WCC_INSTALL_LOCATION%\jre\bin\keytool -delete -alias tomcat -keystore %CA_WCC_INSTALL_LOCATION%\data\config\.keystore -storepass changeit

Note: The default name of the key is tomcat. To access the keystore, you also need the keystore password. The default password is changeit.


Run the following commands in a shell window (on UNIX) or from a command prompt (on Windows) to generate a new key and self-signed certificate...

UNIX:
$CA_WCC_INSTALL_LOCATION/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore -storepass changeit -keypass changeit -keysize 2048 -dname "cn=WCC_SERVER_NAME" -ext san=dns:WCC_SERVER_NAME -validity 14600

Windows:
%CA_WCC_INSTALL_LOCATION%\jre\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore %CA_WCC_INSTALL_LOCATION%\data\config\.keystore -storepass changeit -keypass changeit -keysize 2048 -dname "cn=WCC_SERVER_NAME" -ext san=dns:WCC_SERVER_NAME -validity 14600

Notes:
The keysize argument lets you specify the key size. Typical values are 1024 or 2048.
WCC_SERVER_NAME is the name of your CA WCC server. This should match the name you use in the WCC URL to access the WCC GUI. If you use the FQDN in the URL, make sure to set WCC_SERVER_NAME to the FQDN as well.
The validity argument lets you specify the certificate validity period in days.


2. Request a Certificate

To use a certificate from a trusted certificate authority, create a certificate request file and send it to the certificate authority. The certificate authority will send you the certificate.

Run the following commands in a shell window (on UNIX) or from a command prompt (on Windows):

UNIX:
$CA_WCC_INSTALL_LOCATION/jre/bin/keytool -certreq -alias tomcat -keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore -storepass changeit -ext san=dns:WCC_SERVER_NAME -file certreq.csr

Windows:
%CA_WCC_INSTALL_LOCATION%\jre\bin\keytool -certreq -alias tomcat -keystore %CA_WCC_INSTALL_LOCATION%\data\config\.keystore -storepass changeit -ext san=dns:WCC_SERVER_NAME -file certreq.csr

Make sure to use the same value for WCC_SERVER_NAME that you used in Step 1. 

A certificate request file (certreq.csr) is generated.
Send the certificate request file to the certificate authority. Contact the certificate authority for specific instructions.

Note: CA WCC uses certificates in PEM or DER format. When using the PEM format, the certificate must not contain any information before the BEGIN CERTIFICATE marker or after the END CERTIFICATE marker.


3. Add the Certificates to the Keystore

Add the certificates to the keystore after you receive your private certificate.

Run the following commands in a shell window (on UNIX) or from a command prompt (on Windows) to add the certificate of the root certificate authority to the keystore:

UNIX:
$CA_WCC_INSTALL_LOCATION/jre/bin/keytool -importcert -alias RootCA -file RootCA.cer -keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore -storepass changeit

Windows:
%CA_WCC_INSTALL_LOCATION%\jre\bin\keytool -importcert -alias RootCA -file RootCA.cer -keystore %CA_WCC_INSTALL_LOCATION%\data\config\.keystore -storepass changeit


(Optional) Run the following commands in a shell window (on UNIX) or from a command prompt (on Windows) to add a certificate of a subordinate authority to the keystore:

UNIX:
$CA_WCC_INSTALL_LOCATION/jre/bin/keytool -importcert -alias SubCA -file SubCA.cer -keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore -storepass changeit

Windows:
%CA_WCC_INSTALL_LOCATION%\jre\bin\keytool -importcert -alias SubCA -file SubCA.cer -keystore %CA_WCC_INSTALL_LOCATION%\data\config\.keystore -storepass changeit

Repeat this step for each certificate of the subordinate authority you have downloaded.


Run the following commands in a shell window (on UNIX) or from a command prompt (on Windows) to add your private certificate to the keystore:

UNIX:
$CA_WCC_INSTALL_LOCATION/jre/bin/keytool -importcert -trustcacerts -file certificate.cer -alias tomcat -keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore -storepass changeit

Windows
%CA_WCC_INSTALL_LOCATION%\jre\bin\keytool -importcert -trustcacerts -file certificate.cer -alias tomcat -keystore %CA_WCC_INSTALL_LOCATION%\data\config\.keystore -storepass changeit

Restart CA WCC Services

Attachments

1558695500201000008750_sktwi1f5rjvs16i6n.jpeg get_app