Monday, 11 April 2016

How to Replace the Self-Signed Certificate in OnCommand Unified Manager 6.X

Browser Certificate errors always bug me, so, let’s have some fun with SSL certificates...

Log into the OnCommand Unified Manager WebUI.

Image: Logging into OnCommand Unified Manager

Go to: Administration -> Setup Options

Image: OCUM -> Administration -> Setup Options


Select: Management Server -> HTTPS
Click on ‘View HTTPS Certificate’ to verify the current configuration of Alternative Names is correct (will need to Regenerate if not).
Click on ‘Download HTTPS Certificate Signing Request’

Image: Downloading the CSR

Image: HTTPS Certificate details

Copy the downloaded CSR (called MSOCM1.CSR in this lab) to a Certification Authority (CA) server (here we have access to a Windows Server 2008 R2 Domain Controller with ‘Active Directory Certificate Services’ and the ‘Certification Authority’ role installed - there is also Web Enrollment).

Note: A standard CA needs a slight modification to enable Subject Alternative Name (SAN) certs, as detailed previously in this blog post. From the DOS Command Prompt>
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop "Active Directory Certificate Services"
net start "Active Directory Certificate Services"

Run the following command from the DOS Command Prompt to generate a CER (Certificate file) from the CSR>

certreq -attrib "CertificateTemplate:WebServer" MSOCM1.csr MSOCM1.cer

Image: Generating the CER

Image: MSOCM1.CER generated!

Now, this is where it gets a bit fiddly!

- Double-click MSOCM1.CER file
- Go to the ‘Certification Path’ tab
- Click on the root certificate (lab-MSDMC1-CA here)
- Click on ‘View Certificate’

Image: Viewing the root certificate

Then - viewing the root certificate:

- Click on the Details tab
- Select “Copy to File...”

Image: Details of root certificate

Click Next > to the ‘Welcome to the Certificate Export Wizard’
Select ‘Base-64 encoded X.509 (.CER)’ for Export File Format and click Next >

Image: Export to Base-64

And save the file as say ROOT_BASE64.CER

Then in a text editor like Notepad++, open up the MSOCM1.CER file, open up the ROOT_BASE64.CER file, and copy the content from the ROOT_BASE64.CER file and paste it at the bottom of the MSOCM1.CER file, and then save that file as MSOCM1.PEM. The PEM file will look something like the below:

-----BEGIN CERTIFICATE-----
MIIFIjCCBAqgAwIBAgIKYWMvegAAAAAABTANBgkqhkiG9w0BAQUFADBDMRQwEgYK
CZImiZPyLGQBGRYEcHJpdjETMBEGCgmSJomT8ixkARkWA2xhYjEWMBQGA1UEAxMN
bGFiLU1TRE1DMS1DQTAeFw0xNjA0MTEyMDMyMzJaFw0xODA0MTEyMDMyMzJaMBox
GDAWBgNVBAMTD01TT0NNMS5sYWIucHJpdjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAIVmYTph8enAspgSK7p8a/uU6EOISWi+lmtZNzE2ATm2BRnDo5Pz
OLMVUyS2jdWEnFNtRb8VO1qr4t7a7x8Hl6lQC+pjsWAa4isOd21UYQ8KFbLdJoah
16EOfbVe7M55nJJ0Cpwoa+ffN3hwO0Hf+tm0u9Rqjos8mFRK6PCF5GyPTxdvcsTz
uLHmQsJIF/Y6un99ufloa86ZaZxEyzqsGUFcte3ixKg7Tlng3XC4NQ/7wqOzLCjC
94xRlGCiTftBYJDXR5kEdbO9v1HQNCxcQt5I12Mb/Qc9FJUyN5GJ54bDIZUHS4n4
FHUnfDZROsnWpICDfgAztH4g/jAD53V7giMCAwEAAaOCAj8wggI7MCgGA1UdEQQh
MB+CD01TT0NNMS5sYWIucHJpdoIGTVNPQ00xhwQKAAEeMB0GA1UdDgQWBBSwvNSi
h3JbqTJ5OZFLDRKWTSzitjAfBgNVHSMEGDAWgBSSrGHOJYb0iQYDf7YglXEnbV7I
mjCBxwYDVR0fBIG/MIG8MIG5oIG2oIGzhoGwbGRhcDovLy9DTj1sYWItTVNETUMx
LUNBLENOPU1TRE1DMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs
Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1sYWIsREM9cHJpdj9jZXJ0
aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJp
YnV0aW9uUG9pbnQwgbwGCCsGAQUFBwEBBIGvMIGsMIGpBggrBgEFBQcwAoaBnGxk
YXA6Ly8vQ049bGFiLU1TRE1DMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIw
U2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1sYWIsREM9
cHJpdj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv
bkF1dGhvcml0eTAhBgkrBgEEAYI3FAIEFB4SAFcAZQBiAFMAZQByAHYAZQByMA4G
A1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUF
AAOCAQEAhIowY49VA7OOi2NmBZSlUrWEVPZcoe3A069Pb36up/fLXVigPMNsbFSI
MEDPPp2p39jsowUdgTb1/7OHpInfGSsMVv4lvl6+0z8zrj3zk4+D5HYqFmMDhNld
SZqhVJRCRl8KLvNBregtrYp772S+S8pUJZ4rr+94+R2DSfikXYElvqVznI6FQfZi
4THWbIsRHYlevjFGdg2N1h187b4hAhDo1xYrz9u6o6wPVaL6yYOlKq5Wi04RoDyG
s9P0dDQ7wJDAeXBEX4kJJUMno5D2UOaDkMwUH5c8l/butWpEqCaBwt2WTl3T43TN
TmgMit95c0alY7SohpQMf0H6j09sxg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDYTCCAkmgAwIBAgIQHM707tCBcb5NgxrSftUtYTANBgkqhkiG9w0BAQUFADBD
MRQwEgYKCZImiZPyLGQBGRYEcHJpdjETMBEGCgmSJomT8ixkARkWA2xhYjEWMBQG
A1UEAxMNbGFiLU1TRE1DMS1DQTAeFw0xNjA0MTExODM4NTRaFw0yMTA0MTExODQ4
NTRaMEMxFDASBgoJkiaJk/IsZAEZFgRwcml2MRMwEQYKCZImiZPyLGQBGRYDbGFi
MRYwFAYDVQQDEw1sYWItTVNETUMxLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEArayqSnX6i/1eZhCExDgo3X10iAISKm7IOt4r3QzYo63eXu5we9fH
1bih3huqjU9E4A3l1s9bnlLr8FjMGXGkUubnlqOb0nELWyLGRVA8bq0pdKhGIDbZ
tbGHKypIcKZzP3brxMLXLc9MiLf000KNaH9PExKbRNU6Tfxs173CnXRoDYwa7Kc7
1ExpfUl4k6gWFpPSXqoXcyPhUBzEDy/IS7Ql0N5N/RPVLAr7MrNSxeZJ+nKjv9Cv
7eNngilQA9PoJHTDyTIUoJodkLouPVRaCOCy0O9tzGgsI9LhpXLp//M7mzvEKpwt
gEBOQj6aBCwBxJwM4iCLfuKoHeoi9Y2t1wIDAQABo1EwTzALBgNVHQ8EBAMCAYYw
DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkqxhziWG9IkGA3+2IJVxJ21eyJow
EAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAEyFZZrKXnO/8Bj2
3bs7Iwll+4uE2TQDMYaO5VaQDQcSFiRQH6mr/7fNuTUEgGOz4anR2tnIcqpjmINJ
qlDSxQGssKfgxldIzQ3arXELSUM2BVhpC0fCbMxWPt3RSRaBucbG/RkC1i7XBJTW
dXzZs1TlqcolXiZJAgCKAn1wXAFtM6ViEnRYkYBRGOOSZ9cPa+Bb7XCx5LBPbXS/
nQqKVRyWqT7txkJCK/i/uhvYYKdt4bvRzxUVnZaXxFf1XIyVSrQO4FWMODsl5eOw
1sGFPPZ6H09icf5oV3xzEaXDKfHJtzaMxRf2ZAAK1+Jq9ClQBBWlJZUJhlhiZZTS
XN4HyA8=
-----END CERTIFICATE-----

Return to the OnCommand Unified Manager WebUI -> Administration -> Setup Options -> Management Server -> HTTPS and click the ‘Install HTTPS Certificate’ button, and install the MSOCM1.PEM file just created.

Image: Installing HTTPS Certificate to OCUM

Finally, reboot the OCUM server (or restart the service), and test the certificate works!

Image: SSL Certificate works!

THE END

No comments:

Post a Comment