IMPORTANT: Before you begin this process, you must install and configure the
OpenSSL toolkit. Installation and configuration of the toolkit makes sure that all needed libraries and configuration files for OpenSSL are in place.
- Download and install the OpenSSL toolkit from https://slproweb.com/products/Win32OpenSSL.html.
- Extract and install the version you downloaded based on your platform (32-bit or 64-bit).
NOTE: For additional information about obtaining the OpenSSL toolkit, see http://www.openssl.org/.
- Create the following folder: c:\ssl\keys
- Navigate to C:\OpenSSL–Win64\bin\, and run openssl.exe.
Obtain a custom SSL certificate for use with ePO:
- Create a new private key using OpenSSL with 2048-bit strength and encrypted using des3:
openssl> genrsa -des3 -out c:\ssl\keys\mcafee.key 2048
Make sure to save a copy of the encrypted '.key' file. You need the key to create an unencrypted version of it in Step 5 below for importing into ePO.
- Later versions of Chrome and Edge require a certificate with subject alt names field populated. To create a Certificate Signing Request (CSR) for use with Chrome or Microsoft Edge, you need to first create a configuration file.
- Create a file named sancert.cnf with the following information. Then, save it to the C:\OpenSSL-Win64\bin folder, or where OpenSSL is installed, as long as it is in the bin folder.
- Do not change anything in the [req] section below.
- Substitute information when needed in the [dn] and [alt_names] sections
Example
[ req ]
default_bits = 2048
distinguished_name = dn
req_extensions = req_ext
[ dn ]
C=US
ST=State name (note: use full state name instead of abbreviation)
L=City
O=Organization name
OU=Domain name
CN=fqdn of server name
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = dns1
DNS.2 = dns2.com (optional)
DNS.3 = dns3.com (optional)
- The command below creates the CSR with the CN (Common Name), which then refers to the sancert.cnf to add the Subject Alternative Name.
Run the command, substituting correct values within the quotation marks.
NOTE: The CN= value is what the certificate is issued to, whether it is the FQDN or NETBIOS name of the server. If ePO is clustered, use the virtual cluster name. Those values are entered into the subject field of the certificate.
openssl req -key c:\ssl\keys\mcafee.key -config sancert.cnf -new -subj "/C=US/ST=state/L=city/O=OrgName/OU=domain.com/CN=servername.domain.com" -out c:\ssl\keys\mcafee.csr
- To obtain the server certificate, submit the CSR to your third-party CA or Enterprise CA.
A custom SSL certificate can be certified using either:
- An ECA (a domain CA in Windows)
On the domain controller CA server, open command prompt as administrator and run the command below. This command forces it to use the web server template that generates the server certificate.
certreq -submit -attrib "CertificateTemplate: WebServerV2" c:\ssl\keys\mcafee.csr
Click OK when the dialog box comes up for the LDAP server. Then, save the (.cer) to a location of your choice. A (.cer) file is created that contains the root CA certificate, and the ePO certificate.
- A third-party CA, such as Verisign or Entrust
The third-party CA might provide a single certificate file (.cer), or sometimes provide more than one certificate file (.crt). The certificate obtained contains at a minimum the CA root certificate and the server certificate.
For example:
- One root certificate file representing the root certificate
- One certificate file for an intermediate certificate
- The server certificate itself
The three certificate files (.crt) are combined into the correct format for ePO to use with the following steps. But, if the CA can provide the certificate in PKCS#7 format, it does not need further conversion. You can supply the resulting (.cer) file to ePO.
If you received separate.crt files, follow the steps below to combine the (.crt) files:
- Use the Export Certificate wizard in Windows, or use OpenSSL for Windows or Linux using the command below:
openssl> crl2pkcs7 -nocrl -certfile cert1.crt -certfile cert2.crt -certfile cert3.crt -out outfile.p7b
NOTE: The command creates a certificate chain file from the 'cert1.crt, cert2.crt, cert3.crt' files called outfile.p7b. The p7b file contains the entire certificate chain, which can now be supplied to ePO. The order of the chain must have the root certificate first, then the intermediate (if it exists), followed by the ePO certificate.
- Using the OpenSSL toolkit and the encrypted '.key' file from Step 1, create an unencrypted version of the private key, to be used for inputting into ePO:
openssl> rsa -in c:\ssl\keys\mcafee.key -out c:\ssl\keys\unsecured.mcafee.pem
- Use the new certificate and the private key file to update the ePO certificate:
NOTE: So that the CA trusted with your Enterprise CA is added in the Trusted Root Certification Authorities list. In addition to this list, the browser certificate presented needs to be recognized as Trusted. For more details, see your operating system documentation.
- Log on to the ePO console.
- Click Menu, Configuration, Server Settings.
- Click Server Certificate under Setting Categories, and then click Edit.
- Select Use the provided certificate and private key.
- Click Browse in the Certificate (P7B, PEM) field, locate and select the certificate file (.p7b or .cer), then click Open.
- Click Browse in the Private key (PEM) field.
- Navigate to and select the private key file (unsecured.mcafee.pem in this case), and then click Open.
- Click Save.
- Press Windows+R, type services.msc, and then click OK.
- Right-click each of the following ePO services and click Restart:
McAfee ePolicy Orchestrator x.x.x Application Server
McAfee ePolicy Orchestrator x.x.x Event Parser
McAfee ePolicy Orchestrator x.x.x Server
- Close the services window.
-
