How to generate a custom SSL certificate for use with ePO using the OpenSSL toolkit
Technical Articles ID:
KB72477
Last Modified: 11/1/2021
Environment
McAfee ePolicy Orchestrator (ePO) 5.x
Summary
You can use a custom SSL certificate instead of the default self-signed certificate when browsers authenticate with the ePO server. This article describes one way to create a custom SSL certificate signed by a third-party Certificate Authority (CA), such as Verisign.
IMPORTANT: The ePO platform provides the technical mechanism to support the integration of third-party certificates. But, the generation, validation, or troubleshooting of third-party certificates is not supported.
Solution
IMPORTANT: Before you begin this process, you must install and configure the OpenSSL toolkit. Installation and configuration of the toolkit makes sure that all needed libraries and configuration files for OpenSSL are in place:
- Download and install the OpenSSL toolkit.
- Extract and install the version you downloaded based on your platform (32-bit or 64-bit).
NOTE: For more information about obtaining the OpenSSL toolkit, see the OpenSSL site.
- Create the following folder: c:\ssl\keys
- Go to C:\OpenSSL–Win64\bin\, and run openssl.exe.
Obtain a custom SSL certificate for use with ePO:
- Create a new private key using OpenSSL with 2048-bit strength and encrypted using des3:
openssl> genrsa -des3 -out c:\ssl\keys\mcafee.key 2048
Make sure to save a copy of the encrypted .key file. You need the key to create an unencrypted version of it in step 5 below for importing into ePO.
- Later versions of Chrome and Edge require a certificate with subject alt names field populated. To create a Certificate Signing Request (CSR) for use with Chrome or Microsoft Edge, you need to first create a configuration file:
- Create a file named sancert.cnf with the following information. Then, save it to the C:\OpenSSL-Win64\bin folder, or where OpenSSL is installed, as long as it is in the bin folder.
- Don’t change anything in the [req] section below.
- Substitute information when needed in the [dn] and [alt_names] sections.
Example:
[ req ]
default_bits = 2048
distinguished_name = dn
req_extensions = req_ext
[ dn ]
C=US
ST=State name (note: use full state name instead of abbreviation)
L=City
O=Organization name
OU=Domain name
CN=fqdn of server name
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = dns1
DNS.2 = dns2.com (optional)
DNS.3 = dns3.com (optional)
- The command below creates the CSR with the CN (Common Name), which then refers to the sancert.cnf to add the Subject Alternative Name. Run the command, and substitute the correct values within the quotation marks.
NOTE: The CN= value is what the certificate is issued to, whether it is the FQDN or NETBIOS name of the server. If ePO is clustered, use the virtual cluster name. Those values are entered into the subject field of the certificate.
openssl req -key c:\ssl\keys\mcafee.key -config sancert.cnf -new -subj "/C=US/ST=state/L=city/O=OrgName/OU=domain.com/CN=servername.domain.com" -out c:\ssl\keys\mcafee.csr
- To obtain the server certificate, submit the CSR to your third-party CA or Enterprise CA.
A custom SSL certificate can be certified using either:
- An ECA (a domain CA in Windows)
On the domain controller CA server, open command prompt as administrator and run the command below. This command forces it to use the web server template that generates the server certificate.
certreq -submit -attrib "CertificateTemplate: WebServerV2" c:\ssl\keys\mcafee.csr
Click OK when the dialog box comes up for the LDAP server. Then, save the (.cer) to a location of your choice. A (.cer) file is created that contains the root CA certificate, and the ePO certificate.
- A third-party CA, such as Verisign or Entrust
The third-party CA might provide a single certificate file (.cer), or sometimes provide more than one certificate file (.crt). The certificate obtained contains at a minimum the CA root certificate and the server certificate.
For example:
- One root certificate file representing the root certificate
- One certificate file for an intermediate certificate
- The server certificate itself
The three certificate files (.crt) are combined into the correct format for ePO to use with the following steps. But, if the CA can provide the certificate in PKCS#7 format, it does not need further conversion. You can supply the resulting (.cer) file to ePO.
If you received separate .crt files, follow the steps below to combine the (.crt) files:
- Use the Export Certificate wizard in Windows, or use OpenSSL for Windows or Linux using the command below:
openssl> crl2pkcs7 -nocrl -certfile cert1.crt -certfile cert2.crt -certfile cert3.crt -out outfile.p7b
NOTE: The command creates a certificate chain file from the 'cert1.crt, cert2.crt, cert3.crt' files called outfile.p7b. The p7b file contains the entire certificate chain, which can now be supplied to ePO. The order of the chain must have the root certificate first, then the intermediate (if it exists), followed by the ePO certificate.
- Using the OpenSSL toolkit and the encrypted '.key' file from step 1, create an unencrypted version of the private key, to be used for inputting into ePO:
openssl> rsa -in c:\ssl\keys\mcafee.key -out c:\ssl\keys\unsecured.mcafee.pem
- Use the new certificate and the private key file to update the ePO certificate:
NOTE: In addition to this list, the browser certificate presented needs to be recognized as Trusted so that the CA trusted with your Enterprise CA is added in the Trusted Root Certification Authorities list. For more details, see your operating system documentation.
- Log on to the ePO console.
- Click Menu, Configuration, Server Settings.
- Click Server Certificate under Setting Categories, and then click Edit.
- Select Use the provided certificate and private key.
- Click Browse in the Certificate (P7B, PEM) field, locate and select the certificate file (.p7b or .cer), then click Open.
- Click Browse in the Private key (PEM) field.
- Go to and select the private key file (unsecured.mcafee.pem in this case), and then click Open.
- Click Save.
- Restart the ePO services:
- Press Windows+R, type services.msc, and then click OK.
- Right-click each of the following ePO services and click Restart:
McAfee ePolicy Orchestrator x.x.x Application Server
McAfee ePolicy Orchestrator x.x.x Event Parser
McAfee ePolicy Orchestrator x.x.x Server
- Close the services window.
Solution
If the application of the custom SSL certificate fails, or needs to be rolled back:
- Go to <ePO installation folder>\Server\keystore\.
- Locate the following files:
- server.keystore
- server.keystore.backup<date string>
- Rename server.keystore to server.keystore.bad.
- Rename server.keystore.backup<date string> to server.keystore.
- Restart the ePO services:
- Press Windows+R, type services.msc, and click OK.
- Right-click each of the following ePO services and click Restart:
McAfee ePolicy Orchestrator x.x.x Application Server
McAfee ePolicy Orchestrator x.x.x Event Parser
McAfee ePolicy Orchestrator x.x.x Server
- Close the services window.
|
