How to Replace the Self-Signed SSL Cert for WFA 3.1

Just can’t get enough satisfaction from doing SSL certificates so got to do another one! Here I use a Windows Server 2008 R2 Certification Authority to replace the Self-Signed cert for WFA 3.1. Semi following the “OnCommand Workflow Automation 3.1 Installation and Setup Guide for Windows” SSL bits...

Part 1) Replacing the default SSL Certificate

1.1) Log on to the WFA server
1.2) From a DOS prompt, run the following commands to stop the WFA services>

net stop NA_WFA_SRV
net stop NA_WFA_DB

1.3) Delete (better - backup*) the wfa.keystore file from the following location**: C:\Program Files\NetApp\WFA \jboss\standalone\configuration\keystore

*If this screws up, stop WFA services; put the original wfa.keystore file back exactly where it was, restart WFA services, and all’s well.
**The manual says .\configuration, but on my WFA 3.1 box it was in .\configuration\keystore

1.4) From a DOS prompt, change directory>

cd "C:\Program Files\NetApp\WFA\jre\bin"

1.5) Enter the following to obtain the database key:

keytool -keysize 2048 -genkey -alias "ssl keystore" -keyalg RSA -keystore "C:\Program Files\NetApp\WFA\jboss\standalone\configuration\wfa.keystore" -validity 3650

Note: Validity is in days.

You will be prompted for:

 - Enter keystore password (use the default which is changeit)***
- What if your first and last name? (this is the WFA website name e.g. wfa.lab.priv)
- What is the name of your organizational unit?
- What is the name of your organization?
- What is the name of your City or Locality?
- What is the name of your State or Province?
- What is the two-letter country code for this unit?

Image: Obtaining the database key
*** You can change the default password according to the IaSG, but it mentioned changing the password attribute in the standalone-full.xml file, and I could not find the referred to location in the file. Otherwise, it doesn’t work without using changeit.

Note: The wfa.keystore file might get created in the wrong folder (it did for me), so move it from - C:\Program Files\NetApp\WFA \jboss\standalone\configuration - to - C:\Program Files\NetApp\WFA \jboss\standalone\configuration\keystore

1.6) Restart the WFA services:

net start NA_WFA_SRV

Part 2) Creating a certificate signing request for Workflow Automation

Continuing from above ...

2.1) From a DOS prompt, change directory>

cd "C:\Program Files\NetApp\WFA\jre\bin"

2.2) Enter the following to create a CSR:

keytool -certreq -keystore "C:\Program Files\NetApp\WFA\jboss\standalone\configuration\keystore\wfa.keystore" -alias "ssl keystore" -file C:\WFA_CERT.csr

Note: Again using password changeit

Part 3) Generating the CER and P7B

3.1) Take WFA_CERT.csr from earlier and process it on the Certificate Authority server using the following from the Command Prompt>

certreq -attrib "CertificateTemplate:WebServer" WFA_CERT.csr WFA_CERT.cer

This generates the WFA_CERT.cer file.

certreq -attrib "CertificateTemplate:WebServer\nSAN:DNS=wfa&DNS=wfa.lab.priv&DNS=10.0.1.35&IPAddress=10.0.1.35&DNS=mswfa1&DNS=mswfa1.lab.priv" WFA_CERT.csr WFA_CERT.cer

3.2) Double-click the WFA_CERT.cer file

Image: The generated CER
3.3) Go to the Details tab
3.4) Click “Copy to File....
3.5) In the ‘Certificate Export Wizard’ select to export the file as .P7B and ‘Include all certificates in the certification path if possible’

Image: Exporting as P7B
3.6) Save as say WFA_CERT.p7b

Part 4) Installing the Certificate

4.1) From a DOS prompt, change directory>

cd "C:\Program Files\NetApp\WFA\jre\bin"

4.2) Run this command to import the certificate chain>

keytool -import -alias "ssl keystore" -keystore "C:\Program Files\NetApp\WFA\jboss\standalone\configuration\keystore\wfa.keystore" -trustcacerts -file C:\WFA_CERT.p7b

Note: Again using password changeit

4.3) Finally, restart the WFA Services>

net stop NA_WFA_SRV
net stop NA_WFA_DB
net start NA_WFA_SRV

4.4) And verify the certificate is working!

Image: A happy padlock

Comments