IMPORTANT: Before you begin this process, you must install and configure the
OpenSSL toolkit. Installation and configuration of the toolkit makes sure that all needed libraries and configuration files for OpenSSL are in place.
- Download and install the OpenSSL toolkit from https://slproweb.com/products/Win32OpenSSL.html.
- Extract and install the version you downloaded based on your platform (32-bit or 64-bit).
NOTE: For additional information about obtaining the OpenSSL toolkit, see http://www.openssl.org/.
- Create the following folder: c:\ssl\keys
- Navigate to C:\OpenSSL–Win64\bin\ and run openssl.exe.
Obtain a custom SSL certificate for use with ePO:
- Create a new private key using OpenSSL with 2048-bit strength and encrypted using des3:
openssl> genrsa -des3 -out c:\ssl\keys\mcafee.key 2048
NOTES:
- To create a Certificate Signing Request (CSR) for use with Chrome that requires subject alternate names, you need to first create a configuration file.
- Create a file named sancert.cnf with the following information. Then, save it to the C:\OpenSSL-Win64\bin folder, or where OpenSSL is installed, as long as it is in the bin folder.
- Do not change anything in the [req], [dn] and [alt_names] sections below.
- Substitute information where needed.
[ req ]
default_bits = 2048
distinguished_name = dn
req_extensions = req_ext
[ dn ]
C=US
ST=State name (note: use full state name instead of abbreviation)
L=City
O=Organization name
OU=Domain name
CN=fqdn of server name
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = dns1
DNS.2 = dns2.com (optional)
DNS.3 = dns3.com (optional)
- To create the CSR with the subj alt names, run the following command, substituting correct values.
NOTE: The CN= value is what the certificate is issued to, whether it is the FQDN or NETBIOS name of the server. If ePO is clustered, use the virtual cluster name. Those values get entered into the subject field of the certificate.
openssl req -key c:\ssl\keys\mcafee.key -config sancert.cnf -new -subj "/C=US/ST=state/L=city/O=OrgName/OU=domain.com/CN=servername.domain.com" -out c:\ssl\keys\mcafee.csr
- To obtain the server certificate, submit the CSR to your third-party CA or Enterprise CA.
A custom SSL certificate can be certified using either:
- An ECA (a domain CA in Windows)
On the domain controller CA server, open command prompt as administrator and run the command below. This command forces it to use the web server template that generates the server certificate.
certreq -submit -attrib "CertificateTemplate: WebServerV2" c:\ssl\keys\mcafee.csr
Click OK when the dialog box comes up for the LDAP server. Then, save the (.cer) to a location of your choice. A (.cer) file is created that contains the root CA certificate, and the ePO certificate.
- A third-party CA, such as Verisign or Entrust
The third-party CA might provide a single certificate file (.cer), or sometimes provide more than one certificate file (.crt).
For example:
- One root certificate file representing the root certificate
- One certificate file for an intermediate certificate
- The server certificate itself
These three certificate files (
.crt) are combined into the proper format for ePO to use with the following steps. But, if the CA can provide the certificate in
PKCS#7 format, it does not need further conversion. You can supply the resulting (
.cer) file to ePO. You might need to rename the file to
.p7b.
- To use the custom SSL certificate with ePO, and have it present the entire certificate chain:
- Combine the (.crt) files
- Export them as a (.p7b) file
- Use the Export Certificate wizard in Windows or use OpenSSL for Windows/Linux using the command below:
openssl> crl2pkcs7 -nocrl -certfile cert1.crt -certfile cert2.crt -certfile cert3.crt -out outfile.p7b
NOTE: The command creates a certificate chain file from the 'cert1.crt, cert2.crt, cert3.crt' files called outfile.p7b. The p7b file contains the entire certificate chain, which can now be supplied to ePO. The order of the chain must have the root certificate first, then the intermediate (if it exists), followed by the ePO certificate.
- Create an unencrypted version of the private key to be used for inputting into ePO:
openssl> rsa -in c:\ssl\keys\mcafee.key -out c:\ssl\keys\unsecured.mcafee.pem
- Use the new certificate and the private key file to update the ePO certificate:
NOTE: Make sure that the CA trusted with your Enterprise CA is added in the Trusted Root Certification Authorities list. In addition to this list, the browser certificate presented needs to be recognized as Trusted. For more details, see your operating system documentation.
- Log on to the ePO console.
- Click Menu, Configuration, Server Settings.
- Click Server Certificate under Setting Categories, and then click Edit.
- Select Use the provided certificate and private key.
- Click Browse in the Certificate (P7B, PEM) field, locate and select the certificate file (.p7b or .cer), then click Open.
- Click Browse in the Private key (PEM) field.
- Navigate to and select the private key file (unsecured.mcafee.pem in this case), and then click Open.
- Click Save.
- Restart the ePO services:
- Press Windows+R, type services.msc, and then click OK.
- Right-click each of the following ePO services and click Restart:
McAfee ePolicy Orchestrator x.x.x Application Server
McAfee ePolicy Orchestrator x.x.x Event Parser
McAfee ePolicy Orchestrator x.x.x Server
- Close the services window