Admin Console SSL Certificate

Is it possible to change the SSL certificate that the GroupWise 18 Admin Console uses? I know in GW 2014 there was no supported method of doing it.

Thank you!
Brad Rodgers
  • Sorry, it appears that I posted this in the wrong forum. Perhaps a moderator would be kind enough to move it to the appropriate forum.
  • Hi Brad,

    GroupWise 18 uses it's own CA. You can't change that. But you can mint new certificates as needed for the Admin Console. You don't quite say what it is you are wanting to achieve.

    Cheers,
  • Laura,

    Web browsers do not trust the GroupWise CA so when someone visits the Admin Console, they get the messages about the site not being secure and have to go through the hoops to get past. I was hoping to switch the SSL cert with our wildcard cert so it shows as a valid cert.

    Thank you,
    Brad
  • Hi Brad,

    Unfortunately, you can't replace the GroupWise CA issued certs with external ones.

    Cheers,
  • laurabuckley;2486052 wrote:


    Unfortunately, you can't replace the GroupWise CA issued certs with external ones.



    Hi Laura,

    it not only possible to replace the GroupWise CA certs with external ones but highly recommended. See "Configuring Server Certificates and TLS" in GroupWise 18 Administration Guide:

    " ... For your convenience, the GroupWise CA can generate certificates until you obtain your commercially signed certificates." ... an intermediate solution and further on:

    Certificate Best Practices


    • If you obtain your certificates from an intermediate CA, the certificate for that intermediate CA and all other intermediate CAs leading to the Trusted Root CA must be appended to your certificate file.
    • For TLS communication between the agents and servers, the Fully Qualified Domain Name (FQDN) of the server should be the used for the Subject Alternative Name (SAN) on the certificate. Also, the GroupWise agents should be configured with the FQDN instead of the IP address on the Agent Settings tab for all GroupWise agents.


    But the documentation doesn't show how to implement the external cert for all Agents, Admin-Console and GWMon :mad:
    A much more detailed description can be found in the GroupWise 8 docs, but still WEB-Access, Admin-Console and GWMon is missing.

    So here my findings:

    • WEB-Access is handled by Apache
    • for all agents ONE server certificate can be imported via Admin-Console
    • for the Admin-Console: juste save and replace the files: /opt/novell/groupwise/certificates/<longhash>/admin.<domain>{.crt,.key} with the server certificate for your site.
    • GWMonitor

      • Either use the Cool Solution "Creating a certificate to use with GroupWise Monitor Agent web console" (not tested for GW18!)
      • or - as GWMonitor is using the Tomcat keystore located in /var/opt/novell/conf/cacerts

        1. prepare the cert including private key (without password) and complete chain as PKCS12 file i.e. mycert.p12
        2. the intermediated cert intermediate.pem and the cert itself as mycert.pem than
        3. cd /var/opt/novell/tomcat/conf
          rm cacerts
          keytool -importkeystore -srckeystore mycert.p12 -destkeystore cacerts -deststoretype pkcs12 -destkeypass
          keytool -import -alias IntermediateCA -keystore cacerts -trustcacerts -file intermediate.pem
          keytool -import -alias tomcat -keystore cacerts -trustcacerts -file mycert.pem
          rcnovell-tomcat restart







    Klaus