IMPORTANT: Before you begin this process, you must install and configure the OpenSSL toolkit. Installation and configuration of the toolkit ensures that all required libraries and configuration files for OpenSSL are in place before you begin this process:
- Download and install the OpenSSL toolkit from: https://slproweb.com/products/Win32OpenSSL.html
NOTE: Download the file Win64 OpenSSL v1.0.2p. Only install this file if you are a software developer needing 64-bit OpenSSL for Windows, and only on 64-bit versions of Windows.
- Extract and install Win64 OpenSSL v1.0.2p.
NOTE: For additional information about obtaining the OpenSSL toolkit, see http://www.openssl.org/.
- Create the following folder: c:\ssl\keys
- Navigate to C:\OpenSSL–Win64\bin\ and run openssl.exe.
Obtain a custom SSL certificate for use with ePO:
- Create a new private key using OpenSSL with 2048-bit strength and encrypted using des3:
openssl> genrsa -des3 -out c:\ssl\keys\mcafee.key 2048
- Generate the Certificate Signing Request (CSR) file:
openssl> req -new -sha256 -key c:\ssl\keys\mcafee.key -out c:\ssl\keys\mcafee.csr
If you receive an error about a missing openssl.cnf file that is similar to "Unable to open config info openssl.cnf," adjust the command to specify the path to the openssl.cnf file from the ePO installation. For example:
openssl> req -new -key c:\ssl\keys\mcafee.key -out c:\ssl\keys\mcafee.csr -config "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\Conf\openssl.cnf"
NOTE: You are required to answer the prompts to generate the CSR. See the example below. Ensure that the CN attribute has the name of the ePO server for which you intend to have the certificate generated by the CA.
Example:
EPOSRV is the system name of the ePO server, which is specified as the Common Name in the prompt below:
Enter passphrase for the mcafee.key: You are about to be asked to enter information that is incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields, there is a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [Some-State]:Oregon
Locality Name (eg, city) []:Beaverton
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XYZ Inc.
Organizational Unit Name (eg, section) []:Tech. Support
Common Name (eg, YOUR name) []:EPOSRV
Email Address []:support@xyz.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:
NOTE: To create a CSR for use with Chrome that requires subject alternate names, you need to first create a configuration file. Create a file named sancert.cnf with the following information and save it to the C:\OpenSSL-Win64\bin directory or where openssl is installed:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (US)
stateOrProvinceName = State or Province Name (TX)
localityName = Locality Name (CITY)
organizationName = Organization Name (COMPANYNAME)
commonName = Common Name (e.g. server FQDN)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = dns1.com
DNS.2 = dns2.com (optional)
DNS.3 = dns3.com (optional)
NOTE: The first entry, DNS.1, is what the cert is issued to. For example, if you want the cert issued to the NETBIOS name of the system, enter only the NETBIOS name in the DNS.1 field.
To create the CSR with the subj alt names, run the following command:
openssl req -key c:\ssl\keys\mcafee.key -config sancert.cnf -new -subj "/" -out c:\ssl\keys\mcafee.csr
- To obtain the server certificate, submit the CSR to your third-party CA or Enterprise CA.
The custom SSL certificate can be certified by an ECA (a domain CA in Windows), or a third-party CA, such as Verisign or Entrust. The third-party CA might provide a single certificate file (.cer) or, sometimes, provide more than one certificate file (.crt). For example, one root certificate file representing the root certificate, one certificate file for an intermediate certificate, and finally the server certificate itself.
These three certificate files (.crt) can be combined into the proper format for ePO to use with the following steps. But, if the CA can provide the certificate in PKCS#7 format, no further conversion is needed. The resulting .cer file can be supplied to ePO, although you might need to rename the file to .p7b first.
- To use the custom SSL certificate with ePO and have it present the entire certificate chain, combine the .crt files and export them as a .p7b file. Use the Export Certificate wizard in Windows or OpenSSL for Windows/Linux:
openssl> crl2pkcs7 -nocrl -certfile cert1.crt -certfile cert2.crt -certfile cert3.crt -out outfile.p7b
NOTE: The preceding command creates a certificate chain file from the cert1.crt, cert2.crt, and cert3.crt files called outfile.p7b. The p7b file contains the entire certificate chain, which can now be supplied to ePO.
- Create an unencrypted version of the private key to be used for inputting to ePO:
openssl> rsa -in mcafee.key -out unsecured.mcafee.key
- Use the certificate chain and the private key file to update the ePO certificate:
NOTE: Ensure that the CA is trusted by your Enterprise CA and is added in the Trusted Root Certification Authorities list. Addition to this list is required so that the certificate presented by the browser is recognized as Trusted. For more details, see your operating system documentation.
- Log on to the ePO console.
- Click Menu, Configuration, Server Settings.
- Click Server Certificate under Setting Categories, and then click Edit.
- Select Use the provided certificate and private key.
- Click Browse in the Certificate (P7B, PEM) field, navigate to and select the certificate file (.p7b), and then click Open.
- Click Browse in the Private key (PEM) field, navigate to and select the private key file (unsecured.mcafee.key in this case), and then click Open.
- Click Save.
- Press Windows+R, type services.msc, and click OK.
- Right-click each of the following ePO services and click Restart:
McAfee ePolicy Orchestrator x.x.x Application Server
McAfee ePolicy Orchestrator x.x.x Event Parser
McAfee ePolicy Orchestrator x.x.x Server
