IMPORTANT: Before you begin this process, you must install and configure the
OpenSSL toolkit. Installation and configuration of the toolkit ensures that all required libraries and configuration files for OpenSSL are in place.
- Download and install the OpenSSL toolkit from https://slproweb.com/products/Win32OpenSSL.html.
NOTE: Download the file Win64 OpenSSL v1.0.2p. Install this file only if you are a software developer who needs 64-bit OpenSSL for Windows, and only on 64-bit versions of Windows.
- Extract and install Win64 OpenSSL v1.0.2p.
NOTE: For additional information about obtaining the OpenSSL toolkit, see http://www.openssl.org/.
- Create the following folder: c:\ssl\keys
- Navigate to C:\OpenSSL–Win64\bin\ and run openssl.exe.
Obtain a custom SSL certificate for use with ePO:
- Create a new private key using OpenSSL with 2048-bit strength and encrypted using des3:
openssl> genrsa -des3 -out c:\ssl\keys\mcafee.key 2048
- Generate the Certificate Signing Request (CSR) file:
openssl> req -new -sha256 -key c:\ssl\keys\mcafee.key -out c:\ssl\keys\mcafee.csr
If you receive an error about a missing openssl.cnf file that is similar to "Unable to open config info openssl.cnf," adjust the command to specify the path to the openssl.cnf file from the ePO installation. For example:
openssl> req -new -key c:\ssl\keys\mcafee.key -out c:\ssl\keys\mcafee.csr -config "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\Conf\openssl.cnf"
NOTE: You must answer the prompts to generate the CSR. See the example below. Make sure that the CN attribute has the name of the ePO server for the certificate generated by the CA.
Example:
EPOSRV is the system name of the ePO server, which is specified as the Common Name in the prompt below:
Enter passphrase for the mcafee.key: You are about to be asked to enter information that is incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields, there is a default value,
If you enter '.', the field is left blank.
Country Name (2 letter code) [US]:US
State or Province Name (full name) [Some-State]:Oregon
Locality Name (eg, city) []:Beaverton
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XYZ Inc.
Organizational Unit Name (eg, section) []:Tech. Support
Common Name (eg, YOUR name) []:EPOSRV
Email Address []:support@xyz.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []:
NOTE: To create a CSR for use with Chrome that requires subject alternate names, you need to first create a configuration file. Create a file named
sancert.cnf with the following information and save it to the
C:\OpenSSL-Win64\bin directory or where OpenSSL is installed:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[req_distinguished_name]
C=US
ST=State name (note: use full state name instead of abbreviation)
L=City
O=Organization name
OU=Domain name
CN=fqdn of server name
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = dns1
DNS.2 = dns2.com (optional)
DNS.3 = dns3.com (optional)
NOTE: The first entry, DNS.1, is what the cert is issued to. For example, if you want the cert issued to the NETBIOS name of the system, enter only the NETBIOS name in the DNS.1 field.
To create the CSR with the
subj alt names, run the following command:
openssl req -key c:\ssl\keys\mcafee.key -config sancert.cnf -new -subj "/C=US/ST=state/L=city/O=OrgName/OU=domain.com/CN=servername.domain.com" -out c:\ssl\keys\mcafee.csr
- To obtain the server certificate, submit the CSR to your third-party CA or Enterprise CA.
A custom SSL certificate can be certified using either:
- An ECA (a domain CA in Windows)
If you receive any errors regarding templates, run the command line below. This command forces it to use the web server template that generates the server certificate.
certreq -submit -attrib "CertificateTemplate: WebServerV2" c:\ssl\keys\mcafee.csr
- A third-party CA, such as Verisign or Entrust
The third-party CA might provide a single certificate file (.cer) or, sometimes, provide more than one certificate file (.crt).
For example:
- One root certificate file representing the root certificate
- One certificate file for an intermediate certificate
- The server certificate itself
These three certificate files (
.crt) are combined into the proper format for ePO to use with the following steps. But, if the CA can provide the certificate in
PKCS#7 format, it does not need further conversion. You can supply the resulting (
.cer) file to ePO. But, you might need to rename the file to
.p7b.
- To use the custom SSL certificate with ePO and have it present the entire certificate chain:
- Combine the (.crt) files
- Export them as a (.p7b) file
- Use the Export Certificate wizard in Windows or use OpenSSL for Windows/Linux using the command below:
openssl> crl2pkcs7 -nocrl -certfile cert1.crt -certfile cert2.crt -certfile cert3.crt -out outfile.p7b
NOTE: This command creates a certificate chain file from the cert1.crt, cert2.crt, and cert3.crt files called outfile.p7b. The p7b file contains the entire certificate chain, which can now be supplied to ePO.
- Create an unencrypted version of the private key to be used for inputting to ePO:
openssl> rsa -in mcafee.key -out unsecured.mcafee.key
- Use the certificate chain and the private key file to update the ePO certificate:
NOTE: Make sure that the CA trusted with your Enterprise CA is added in the Trusted Root Certification Authorities list. In addition to this list, the browser certificate presented needs to be recognized as Trusted. For more details, see your operating system documentation.
- Log on to the ePO console.
- Click Menu, Configuration, Server Settings.
- Click Server Certificate under Setting Categories, and then click Edit.
- Select Use the provided certificate and private key.
- Click Browse in the Certificate (P7B, PEM) field, navigate to and select the certificate file (.p7b), and then click Open.
- Click Browse in the Private key (PEM) field.
- Navigate to and select the private key file (unsecured.mcafee.key in this case), and then click Open.
- Click Save.
- Press Windows+R, type services.msc, and then click OK.
- Right-click each of the following ePO services and click Restart:
McAfee ePolicy Orchestrator x.x.x Application Server
McAfee ePolicy Orchestrator x.x.x Event Parser
McAfee ePolicy Orchestrator x.x.x Server
