You can use a custom SSL certificate instead of the default self-signed certificate when browsers authenticate with the NSM server. This article describes one way to create a custom SSL certificate signed by a third-party
Certificate Authority (CA), such as
Verisign.
IMPORTANT: The NSM platform provides the technical mechanism to support the integration of third-party certificates. But, the generation, validation, or troubleshooting of third-party certificates is
not supported.
IMPORTANT: Before you begin this process, you must install and configure the
OpenSSL toolkit. Installation and configuration of the toolkit makes sure that all needed libraries and configuration files for OpenSSL are in place.
- Download and install the OpenSSL toolkit.
- Extract and install the version you downloaded based on your platform (32-bit or 64-bit).
NOTE: For additional information about obtaining the OpenSSL toolkit, go to the OpenSSL site.
- Create the following folder: c:\ssl\keys
- Open a cmd window and change to the directory where you installed OpenSSL.
Obtain a custom SSL certificate for use with NSM:
- Later versions of Chrome and Edge require a certificate with subject alt names field populated. To create a Certificate Signing Request (CSR) for use with Chrome or Microsoft Edge, first create a configuration file:
- Create a file named sancert.cnf with the following information, and then save it to the C:\ssl\keys folder.
- Don’t change anything in the [req] section below.
- Substitute information when needed in the [dn] and [alt_names] sections
Example:
[ req ]
default_bits = 2048
distinguished_name = dn
req_extensions = req_ext
prompt = no
[ dn ]
C=US
ST=State name (note: use full state name instead of abbreviation)
L=City
O=Organization name
OU=Domain name
CN=fqdn of server name
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = dns1
DNS.2 = dns2.com (optional)
DNS.3 = dns3.com (optional)
IP.1 = ipaddress (optional)
- Create the CSR with the data specified in the configuration file:
Type openssl req -new -out c:\ssl\keys\mcafee.csr -newkey rsa:2048 -nodes -sha256 -keyout c:\ssl\keys\mcafee.key -config c:\ssl\keys\sancert.cnf and press Enter.
- Verify the CSR that you created:
Type openssl req -text -noout -verify -in C:\ssl\keys\mcafee.csr and press Enter.
- To obtain the server certificate, submit the CSR to your third-party CA or Enterprise CA. Your CA returns a new certificate file and the CA certs. Sometimes the CA certs are in separate files, and sometimes they’re all in one file.
For the purposes of the next step, we assume that the cert filename is nsm.cert and the ca filename is ca-chain-cert.pem. Put both of the files in C:\ssl\keys with the mcafee.key file.
- Use OpenSSL for Windows or Linux and generate p12 file from the cert and key files generated:
Type openssl pkcs12 -inkey C:\ssl\keys\mcafee.key -in C:\ssl\keys\nsm.cert -export -out C:\ssl\keys\nsm.p12 -certfile C:\ssl\keys\ca-chain-cert.pem and press Enter.
NOTE: If you didn’t receive a certificate chain file, omit the -certfile C:\ssl\keys\ca-chain-cert.pem option from the command.
- Import the .p12 file into the NSM. For instructions, see the product guide for your release.
NOTE: For instructions for 9.1 and 9.2 versions earlier than 9.1.7.80 and 9.2.9.55, see:
KB59373 - How to replace the McAfee-signed SSL certificate on the Network Security Manager with a Certificate Authority signed SSL certificate
