Browser Certificate
errors always bug me, so, let’s have some fun with SSL certificates...
Log into the OnCommand Unified Manager WebUI.
Image: Logging into
OnCommand Unified Manager
Go to: Administration
-> Setup Options
Image: OCUM ->
Administration -> Setup Options
Select: Management
Server -> HTTPS
Click on ‘View HTTPS Certificate’ to verify the current
configuration of Alternative Names is correct (will need to Regenerate if not).
Click on ‘Download HTTPS Certificate Signing Request’
Image: Downloading
the CSR
Image: HTTPS
Certificate details
Copy the downloaded CSR (called MSOCM1.CSR in this lab)
to a Certification Authority (CA) server (here we have access to a Windows
Server 2008 R2 Domain Controller with ‘Active Directory Certificate Services’
and the ‘Certification Authority’ role installed - there is also Web
Enrollment).
Note: A
standard CA needs a slight modification to enable Subject Alternative Name
(SAN) certs, as detailed previously in this
blog post. From the DOS Command Prompt>
certutil -setreg
policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop "Active
Directory Certificate Services"
net start "Active
Directory Certificate Services"
Run the following command from the DOS Command Prompt to
generate a CER (Certificate file) from the CSR>
certreq -attrib
"CertificateTemplate:WebServer" MSOCM1.csr MSOCM1.cer
Image: Generating
the CER
Image: MSOCM1.CER
generated!
Now, this is where it gets a bit fiddly!
- Double-click MSOCM1.CER file
- Go to the ‘Certification Path’ tab
- Click on the root certificate (lab-MSDMC1-CA here)
- Click on ‘View Certificate’
Image: Viewing the
root certificate
Then - viewing the root certificate:
- Click on the Details tab
- Select “Copy to File...”
Image: Details of
root certificate
Click Next >
to the ‘Welcome to the Certificate Export Wizard’
Select ‘Base-64
encoded X.509 (.CER)’ for Export File Format and click Next >
Image: Export to
Base-64
And save the file as say ROOT_BASE64.CER
Then in a text editor like Notepad++, open up the
MSOCM1.CER file, open up the ROOT_BASE64.CER file, and copy the content from
the ROOT_BASE64.CER file and paste it at the bottom of the MSOCM1.CER
file, and then save that file as MSOCM1.PEM. The PEM file will look something
like the below:
-----BEGIN
CERTIFICATE-----
MIIFIjCCBAqgAwIBAgIKYWMvegAAAAAABTANBgkqhkiG9w0BAQUFADBDMRQwEgYK
CZImiZPyLGQBGRYEcHJpdjETMBEGCgmSJomT8ixkARkWA2xhYjEWMBQGA1UEAxMN
bGFiLU1TRE1DMS1DQTAeFw0xNjA0MTEyMDMyMzJaFw0xODA0MTEyMDMyMzJaMBox
GDAWBgNVBAMTD01TT0NNMS5sYWIucHJpdjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAIVmYTph8enAspgSK7p8a/uU6EOISWi+lmtZNzE2ATm2BRnDo5Pz
OLMVUyS2jdWEnFNtRb8VO1qr4t7a7x8Hl6lQC+pjsWAa4isOd21UYQ8KFbLdJoah
16EOfbVe7M55nJJ0Cpwoa+ffN3hwO0Hf+tm0u9Rqjos8mFRK6PCF5GyPTxdvcsTz
uLHmQsJIF/Y6un99ufloa86ZaZxEyzqsGUFcte3ixKg7Tlng3XC4NQ/7wqOzLCjC
94xRlGCiTftBYJDXR5kEdbO9v1HQNCxcQt5I12Mb/Qc9FJUyN5GJ54bDIZUHS4n4
FHUnfDZROsnWpICDfgAztH4g/jAD53V7giMCAwEAAaOCAj8wggI7MCgGA1UdEQQh
MB+CD01TT0NNMS5sYWIucHJpdoIGTVNPQ00xhwQKAAEeMB0GA1UdDgQWBBSwvNSi
h3JbqTJ5OZFLDRKWTSzitjAfBgNVHSMEGDAWgBSSrGHOJYb0iQYDf7YglXEnbV7I
mjCBxwYDVR0fBIG/MIG8MIG5oIG2oIGzhoGwbGRhcDovLy9DTj1sYWItTVNETUMx
LUNBLENOPU1TRE1DMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMs
Q049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1sYWIsREM9cHJpdj9jZXJ0
aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJp
YnV0aW9uUG9pbnQwgbwGCCsGAQUFBwEBBIGvMIGsMIGpBggrBgEFBQcwAoaBnGxk
YXA6Ly8vQ049bGFiLU1TRE1DMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIw
U2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1sYWIsREM9
cHJpdj9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlv
bkF1dGhvcml0eTAhBgkrBgEEAYI3FAIEFB4SAFcAZQBiAFMAZQByAHYAZQByMA4G
A1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUF
AAOCAQEAhIowY49VA7OOi2NmBZSlUrWEVPZcoe3A069Pb36up/fLXVigPMNsbFSI
MEDPPp2p39jsowUdgTb1/7OHpInfGSsMVv4lvl6+0z8zrj3zk4+D5HYqFmMDhNld
SZqhVJRCRl8KLvNBregtrYp772S+S8pUJZ4rr+94+R2DSfikXYElvqVznI6FQfZi
4THWbIsRHYlevjFGdg2N1h187b4hAhDo1xYrz9u6o6wPVaL6yYOlKq5Wi04RoDyG
s9P0dDQ7wJDAeXBEX4kJJUMno5D2UOaDkMwUH5c8l/butWpEqCaBwt2WTl3T43TN
TmgMit95c0alY7SohpQMf0H6j09sxg==
-----END
CERTIFICATE-----
-----BEGIN
CERTIFICATE-----
MIIDYTCCAkmgAwIBAgIQHM707tCBcb5NgxrSftUtYTANBgkqhkiG9w0BAQUFADBD
MRQwEgYKCZImiZPyLGQBGRYEcHJpdjETMBEGCgmSJomT8ixkARkWA2xhYjEWMBQG
A1UEAxMNbGFiLU1TRE1DMS1DQTAeFw0xNjA0MTExODM4NTRaFw0yMTA0MTExODQ4
NTRaMEMxFDASBgoJkiaJk/IsZAEZFgRwcml2MRMwEQYKCZImiZPyLGQBGRYDbGFi
MRYwFAYDVQQDEw1sYWItTVNETUMxLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEArayqSnX6i/1eZhCExDgo3X10iAISKm7IOt4r3QzYo63eXu5we9fH
1bih3huqjU9E4A3l1s9bnlLr8FjMGXGkUubnlqOb0nELWyLGRVA8bq0pdKhGIDbZ
tbGHKypIcKZzP3brxMLXLc9MiLf000KNaH9PExKbRNU6Tfxs173CnXRoDYwa7Kc7
1ExpfUl4k6gWFpPSXqoXcyPhUBzEDy/IS7Ql0N5N/RPVLAr7MrNSxeZJ+nKjv9Cv
7eNngilQA9PoJHTDyTIUoJodkLouPVRaCOCy0O9tzGgsI9LhpXLp//M7mzvEKpwt
gEBOQj6aBCwBxJwM4iCLfuKoHeoi9Y2t1wIDAQABo1EwTzALBgNVHQ8EBAMCAYYw
DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkqxhziWG9IkGA3+2IJVxJ21eyJow
EAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEBAEyFZZrKXnO/8Bj2
3bs7Iwll+4uE2TQDMYaO5VaQDQcSFiRQH6mr/7fNuTUEgGOz4anR2tnIcqpjmINJ
qlDSxQGssKfgxldIzQ3arXELSUM2BVhpC0fCbMxWPt3RSRaBucbG/RkC1i7XBJTW
dXzZs1TlqcolXiZJAgCKAn1wXAFtM6ViEnRYkYBRGOOSZ9cPa+Bb7XCx5LBPbXS/
nQqKVRyWqT7txkJCK/i/uhvYYKdt4bvRzxUVnZaXxFf1XIyVSrQO4FWMODsl5eOw
1sGFPPZ6H09icf5oV3xzEaXDKfHJtzaMxRf2ZAAK1+Jq9ClQBBWlJZUJhlhiZZTS
XN4HyA8=
-----END
CERTIFICATE-----
Return to the OnCommand Unified Manager WebUI -> Administration -> Setup Options -> Management Server -> HTTPS and click the ‘Install HTTPS Certificate’ button, and
install the MSOCM1.PEM file just created.
Image: Installing
HTTPS Certificate to OCUM
Finally, reboot the OCUM server (or restart the service), and test the certificate
works!
Image: SSL
Certificate works!
THE END
No comments:
Post a comment