Replacing the IWSVA 6.5 admin console certificate with a DigiCert-signed certificate

To get a DigiCert-signed certificate:

1. Log in to the IWSVA server via SSH using a root account.
2. Navigate to the /tmp directory using the command below:

   # cd /tmp

3. Run the following command to generate a Private Key and Certificate Signing Request (CSR):

   # openssl req -new -newkey rsa:2048 > new.cert.csr

4. Collect the following files from the /tmp directory:
   • Private Key: privkey.pem
   • Certificate Signing Request: new.cert.csr
5. Provide the new.cert.csr file to DigiCert to have it signed in Base-64 CRT format. DigiCert will then return the following files:
   • Intermediate Certificate: DigiCertCA.crt
   • Server Certificate: star_nus_edu_sg.crt
6. Download the appropriate DigiCert Root Certificate, such as the DER Encoded Root Certificate: DigiCertGlobalRootCA.crt, from their website.
7. Convert the downloaded root certificate from DER format to Base-64 encoded X.509 certificate (.CER). This is for consistency with the server and intermediate certificates.
   1. Open the root certificate.
   2. On the Details tab, click Copy to file to open the Certificate Export Wizard and click Next.
   3. Select Base-64 encoded X.509 (.CER) as the format and click Next.
   4. Save the file as Base-64_DigiCertGlobalRootCA.crt and make sure to save it in the proper location together with the other certificates, then click Next.
   5. Click Finish to complete the conversion. The root certificate should be Base-64_DigiCertGlobalRootCA.crt.cer.
8. Copy the server, intermediate, and new root certificates into the /tmp directory of the IWSVA server.
9. Concatenate the three (3) certificates into a single certificate named certchain.crt by using the following commands:

   # cat star_nus_edu_sg.crt > certchain.crt
   # cat DigiCertCA.crt >> certchain.crt
   # cat Base-64_DigiCertGlobalRootCA.crt.cer >> certchain.crt

10. Convert the cert chain into a .p12 format:
    1. Execute the command below to start the conversion:

       # openssl pkcs12 -export -in certchain.crt -inkey privkey.pem -CAfile DigiCertCA.crt -name "IWSVA" -out NUS_IWSVA_CERT.p12

    2. Specify the password used in generating the .csr file in Step 4.
    3. Use the same password for the .p12 certificate export.
    4. Confirm the password for the .p12 certificate export.
11. Export the NUS_IWSVA_CERT.p12 file.
12. Access the IWSVA web console using plain HTTP.
13. Navigate to Administration > Network Configuration > Web Console.
14. Select SSL mode and upload the NUS_IWSVA_CERT.p12 certificate.
15. Enter the appropriate SSL password and retain the port number if preferred.
16. Wait for the message "Redirecting to port 1812 ..." to appear. We should lose connection after a few minutes since HTTP access to port 1812 is no longer available after opting to use HTTPS.
17. Log in again to the IWSVA server via SSH using root account.
18. Navigate to the Tomcat configuration directory using the command below:

    # cd /var/iwss/tomcat/conf

19. Back up the server.xml file using the following command:

    # cp server.xml server.xml.orig

20. Modify the server.xml using vi:

    # vi server.xml

21. Modify the line for Connector port as follows to reflect the information in the certificate you uploaded:

    <Connector port="1812" maxHttpHeaderSize="8192" maxThreads="15" minSpareThreads="3" maxSpareThreads="8" enableLookups="true" disableUploadTimeout="true" connectionTimeout="900000" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="keystore" keystoreType="PKCS12" keystorePass="<your_keystore_password>" SSLEnabled="true"/>

22. Save the changes and exit the server.xml file using the ":wq!" command.
23. Restart the IWSVA application using the command below:

    # /var/iwss/rcIwss restart

24. Access the IMSVA console using HTTPS on port 1812 to verify that it works properly.

If it still fails to work, revert the changes using the command below:

# /usr/iwss/AdminUI/configtomcat restore