Customers may experience either of the following issue:
- Already using PKCS12 format certificate prior to IWSVA SP2 Patch 4 Critical Patch 1901 installation are suddenly unable to access the IWSVA Web Admin Console after applying CP Build 1901.
- Customers that are currently on SP2 Patch4 CP 1901 are suddenly unable to access the IWSVA Web Admin Console after replacing the web console certificate with a PKCS12 format certificate.
This is due to the security proxy being able to support only the JKS keystore format and not PKCS12.
As a result, secproxy cannot start normally and users will not be able to access the web console.
By including the SAN information in the certificate, the customer’s certificate renewal process can be simplified as they only have to create and apply for a single certificate instead of one per IWSVA server.
To include the SAN information into a certificate, do the following:
- Log into the IWSVA server via SSH as root.
-
Create the SAN directory inside /tmp and go to it:
[root@iwsva ~]# mkdir /tmp/SAN
[root@iwsva ~]# cd /tmp/SAN -
Inside the SAN directory, create the san.cnf in /tmp/SAN directory using the touch command.
[root@iwsva SAN]# touch san.cnf
-
Edit the newly created san.cnf using the text editor vi.
[root@iwsva SAN]# vi san.cnf
-
Type the lines shown in the following sample san.cnf with the proper values for each field.
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name (e.g. server FQDN or YOUR name) [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = IWSVA1 hostname or FQDN (whichever will be used to access the URL) DNS.2 = IWSVA1 hostname or FQDN (whichever will be used to access the URL) DNS.3 = IWSVA1 hostname or FQDN (whichever will be used to access the URL)
- Exit “vi” using :wq!
-
Generate the CSR together with the Private Key (privkey.pem) using the san.cnf config as a single file together:
[root@iwsva SAN]# openssl req -new -newkey rsa:2048 -config san.cnf > san.csr
-
Type in the appropriate PEM pass phrase:
-
Using WinSCP, export the san.csr file and open it with Notepad.
-
Cut the Private Key information from san.csr,
(starting with -----BEGIN ENCRYPTED PRIVATE KEY----- and ending at
-----END ENCRYPTED PRIVATE KEY-----) and save it in a new text file privkey.pem. -
With only the certificate request remaining from the original file san.csr, save it and have the customer submit it to their CA for digital signing in Base-64 CRT format.
-
Once signed, create a new text file named san_certchain.crt and add the information for the following certificates:
- SAN certificate
- Intermediate Certificate (if applicable)
- Root Certificate
-
Import the following files back into the IWSVA Server’s /tmp/SAN directory:
- san_certchain.crt
- privkey.pem
-
Create the PKCS12 format certificate with san_certchain.crt and privkey.pem by using the command below:
[root@iwsva SAN]# openssl PKCS12 -export -in san_certchain.crt -inkey privkey.pem -name “IWSVA” -out san_cert.p12
-
Key in the appropriate PEM pass phrase and Export Password:
- Export the generated san_cert.p12 file via WinSCP.
- Open the web console and go to Administration>>Network>>Web Console
- Select SSL mode and find the san_cert.p12 certificate and click on Upload.
- After Upload is successful, enter the Export Password then click on Save.
- Wait for a few minutes then access the IWSVA via SSH.
-
Modify the 8443 and 9091 connector information on the /var/iwss/tomcat/conf/server.xml file and add in keystoreType=”PKCS12” parameter and value respectively using vi:
-
Restart the IWSVA application via the command below:
[root@iwsva SAN]# /var/iwss/rcIwss restart
This will interrupt the network traffic for a few minutes so plan accordingly.