How to generate a custom SSL certificate for use with ePolicy Orchestrator using the OpenSSL toolkit
Technical Articles ID:
KB72477
Last Modified: 9/25/2018
Rated:
Environment
McAfee ePolicy Orchestrator (ePO) 5.x
Summary
You can use a custom SSL certificate instead of the default self-signed certificate when a browser, such as Internet Explorer (IE) or Firefox, authenticates with the ePO server.
This article describes one way to create a custom SSL certificate that is signed by a third-party Certificate Authority (CA), such as Verisign.
NOTE: The ePO platform provides the technical mechanism to support the integration of third-party certificates, but the generation, validation, or troubleshooting of third-party certificates is not supported.
Solution
IMPORTANT: Before you begin this process, you must install and configure the OpenSSL toolkit. Installation and configuration of the toolkit ensures that all required libraries and configuration files for OpenSSL are in place before you begin this process:
- Download and install the OpenSSL toolkit from:
https://slproweb.com/products/Win32OpenSSL.html
NOTE: Download the file Win64 OpenSSL v1.0.2p. Only install this file if you are a software developer needing 64-bit OpenSSL for Windows, and only on 64-bit versions of Windows.
- Extract and install Win64 OpenSSL v1.0.2p. For additional information about obtaining the OpenSSL toolkit, see http://www.openssl.org/.
- Create the following folder:
c:\ssl\keys
- Navigate to C:\OpenSSL–Win64\bin\ and run openssl.exe.
To obtain a custom SSL certificate for use with ePO:
- Create a new private key using OpenSSL with 2048-bit strength and encrypted using des3:
openssl> genrsa -des3 -out c:\ssl\keys\mcafee.key 2048
- Generate the Certificate Signing Request (CSR) file:
openssl> req -new -sha256 -key c:\ssl\keys\mcafee.key -out c:\ssl\keys\mcafee.csr
If you receive an error about a missing openssl.cnf file that is similar to "Unable to open config info openssl.cnf," you must adjust the command to specify the path to the openssl.cnf file from the ePO installation. For example:
openssl> req -new -key c:\ssl\keys\mcafee.key -out c:\ssl\keys\mcafee.csr -config "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\Conf\openssl.cnf"
NOTE: You will be required to answer the prompts to generate the CSR. See the example below. Ensure the CN attribute has the name of the ePO server for which you intend to have the certificate generated by the CA.
Example: EPOSRV is the system name of the ePO server, which is specified as the Common Name in the prompt below:
Enter pass phrase for the mcafee.key: You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) [Some-State]:Oregon
Locality Name (eg, city) []:Beaverton
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XYZ Inc.
Organizational Unit Name (eg, section) []:Tech. Support
Common Name (eg, YOUR name) []:EPOSRV
Email Address []:support@xyz.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:
- Submit the CSR to your third-party CA or Enterprise CA to obtain the server certificate.
The custom SSL certificate can be certified by an ECA (a domain CA in Windows), or a third-party CA, such as Verisign or Entrust. The third-party CA might provide a single certificate file (.cer) or, in some cases, provide more than one certificate file (.crt). For example, one root certificate file representing the root certificate, one certificate file for an intermediate certificate, and finally the server certificate itself.
These three certificate files (.crt) can be combined into the proper format for ePO to use with the following steps. But, if the CA can provide the certificate in PKCS#7 format, no further conversion is needed. The resulting .cer file can be supplied to ePO, although you might need to rename the file to .p7b first.
- To use the custom SSL certificate with ePO and have it present the entire certificate chain, combine the .crt files and export them as a .p7b file. Use the Export Certificate wizard in Windows or OpenSSL for Windows/Linux:
openssl> crl2pkcs7 -nocrl -certfile cert1.crt -certfile cert2.crt -certfile cert3.crt -out outfile.p7b
NOTE: The preceding command creates a new certificate chain file from the cert1.crt, cert2.crt, and cert3.crt files called outfile.p7b. The p7b file contains the entire certificate chain, which can now be supplied to ePO.
- Create an unencrypted version of the private key to be used for inputting to ePO:
openssl> rsa -in mcafee.key -out unsecured.mcafee.key
- Use the certificate chain and the private key file to update the ePO certificate:
NOTE: Ensure that the CA is trusted by your Enterprise CA and is added in the Trusted Root Certification Authorities list. Addition to this list is required so that the certificate presented by the browser is recognized as Trusted. For more details about how to achieve this, see your operating system documentation.
- Log on to the ePO console.
- Click Menu, Configuration, Server Settings.
- Click Server Certificate under Setting Categories, and then click Edit.
- Select Use the provided certificate and private key.
- Click Browse in the Certificate (P7B, PEM) field, navigate to and select the certificate file (.p7b), and then click Open.
- Click Browse in the Private key (PEM) field, navigate to and select the private key file (unsecured.mcafee.key in our case), and then click Open.
- Click Save.
- Press Windows+R, type services.msc, and click OK.
- Right-click each of the following ePO services and click Restart:
McAfee ePolicy Orchestrator x.x.x Application Server
McAfee ePolicy Orchestrator x.x.x Event Parser
McAfee ePolicy Orchestrator x.x.x Server
Solution
If the application of the custom SSL certificate fails or needs to be rolled back:
- Navigate to <ePO installation directory>\Server\keystore\.
- Locate the following files:
- server.keystore
- server.keystore.backup<date string>
- Rename server.keystore to server.keystore.bad.
- Rename server.keystore.backup<date string> to server.keystore.
- Press Windows+R, type services.msc, and click OK.
- Right-click each of the following ePO services and click Restart:
McAfee ePolicy Orchestrator x.x.x Application Server
McAfee ePolicy Orchestrator x.x.x Event Parser
McAfee ePolicy Orchestrator x.x.x Server
|
