ControlPoint certificate requirements

logs.zip

We just generated a new SSL certificate using a local CA for our working ControlPoint.  We've installed it in IIS and we've update the thumbprint in the 2 web.configs and one exe.config file as per the manual.  We're getting and exception on the dashboard repos:

The HTTP request was forbidden with client authentication scheme 'Anonymous'.
Back
System.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Anonymous'. ---> System.Net.WebException: The remote server returned an error: (403) Forbidden.
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelAsyncRequest.CompleteGetResponse(IAsyncResult result)
--- End of inner exception stack trace ---
at System.Runtime.AsyncResult.End[TAsyncResult](IAsyncResult result)
at System.ServiceModel.Channels.ServiceChannel.SendAsyncResult.End(SendAsyncResult result)
at System.ServiceModel.Channels.ServiceChannel.EndCall(String action, Object[] outs, IAsyncResult result)
at System.ServiceModel.Channels.ServiceChannelProxy.TaskCreator.<>c__DisplayClass7_0`1.<CreateGenericTask>b__0(IAsyncResult asyncResult)
at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar,

Is this a certificate issue? And if so, does anyone know the certificate attribute requirements?

Our current cert has the following props:

Key Usage:Key encipherment (a0), digital signature

Extended Key usuage: server authentication (our previous cert had client auth as well but the local CA policies have changed and we cannot get this in our cert)

Any pointers?

Tags:

  • Suggested Answer

    Maybe you can use the following powershell to create your certificates:

    1) Create the Certificate and export .CER file :
    ===

    > $rootcert = New-SelfSignedCertificate -CertStoreLocation cert:\CurrentUser\My -DnsName SM-CP-201602,SM-CP-201602.swinfra.net -KeyUsage CertSign

    Write-host "Certificate Thumbprint: $($rootcert.Thumbprint)"

    Export-Certificate -Cert $rootcert -FilePath "C:\Program Files\Micro Focus\ControlPoint\SSL\CertAuth13.cer"


    2) Import into Trusted Root Certificates
    ===

    > Import-Certificate -FilePath "C:\Program Files\Micro Focus\ControlPoint\SSL\CertAuth13.cer" -CertStoreLocation Cert:\LocalMachine\Root

    3) Sign the Certificate
    ===

    $rootca = Get-ChildItem cert:\CurrentUser\my | Where-Object {$_.Thumbprint -eq "083E78AEF978F6E083E40448EC77CECED024080D"}

    New-SelfSignedCertificate -certstorelocation cert:\LocalMachine\My -dnsname SM-CP-201602,SM-CP-201602.swinfra.net -Signer $rootca

    ===

    NOTES :
    -dnsname - Amend as needed. Allows you to set multiple Subject Alternative Names
    -Filepath - .cer file export directory, amend as needed
    - Copy the thumbprint returned in step 1 and use it in step 3