Highlighted
ianp123
New Member.
48 views

Management Certificate Expired

Jump to solution

Hey,

My Wildcard cert expired a little while back, and while I replaced it for the user facing side of it, I seem to have missed it for the management portal. Now I can't connect to my server on https://<server>:8443/nps until I replace the cert.

I'm assuming it's Tomcat on the back end, but I can't seem to find the config file to force a new cert to be used.

Can anyone point me in the right direction?

Thanks,

Ian

0 Likes
1 Solution

Accepted Solutions
-Magnus- Super Contributor.
Super Contributor.

Re: Management Certificate Expired

Jump to solution

Hi ,

I use to use  this commands  to create a certificate that I sign with our EnterpriseCA. (written for Nam appliances…) maybe It will point you in the right direction (dont forget to change dns domain)

Set up some varables:

 

now=$(date +"%Y_%m_%d")
hostname=$(hostname)
keytool=$(find /opt/ -executable -type f | grep keytool | head -n 1)
keystore=/var/opt/novell/novlwww/.keystore
keystorpass=$(grep 'NIDP_Name="connector"' /opt/novell/nam/adminconsole/conf/server.xml | sed 's/^.*keystorePass=\"//' | sed 's/\".*$//')

 

Backup keystore:

 

cp $keystore $keystore-backup-$now

 

 Change name on previous certs in keystore:

 

$keytool -delete -keystore $keystore -storepass $keystorpass -alias del-tomcat
$keytool -changealias -keystore $keystore -storepass $keystorpass -alias tomcat -destalias del-tomcat

 

Create private key:

 

$keytool -genkey -v -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keysize 4096 -dname "CN=$hostname.corp.com, O=NA, L=NA, ST=NA, C=COM" -ext SAN=dns:$hostname,dns:$hostname.corp.com -validity 3650 -keystore $keystore -storepass $keystorpass

 

 

Just to verify :

 

$keytool -list -keystore $keystore -storepass $keystorpass

 

Create csr :

 

touch /tmp/$hostname.csr 
$keytool -certreq -v -alias tomcat -ext SAN=dns:$hostname,dns:$hostname.corp.com -file /tmp/$hostname.csr -keystore $keystore -storepass $keystorpass

 

 

Verify csr (contains san)

 

$keytool -printcertreq -file /tmp/$hostname.csr -v

 

 

Just for to generate the windows commands to execute on CA server (change template name ) :

 

echo certreq.exe -attrib CertificateTemplate:WebServer $hostname.csr $hostname.cer

 

 

Copy Csr and then run the command above on a Windows Eneterprise CA.

Get your Enterprise root and intermidiate cert from https://certserver.corp.com/certsrv/certcarc.asp

bring the root ca's and cer file over to /tmp and run this to import ca public certs in to keystore. 

 

$keytool -changealias -keystore $keystore -storepass $keystorpass -alias AD-Root-CA -destalias old-AD-Root-CA
$keytool -changealias -keystore $keystore -storepass $keystorpass -alias AD-Enterprise-CA -destalias old-AD-Enterprise-CA
$keytool -import -trustcacerts -file "/tmp/RootCA.cer" -trustcacerts -noprompt -keystore $keystore -storepass $keystorpass -alias AD-Root-CA
$keytool -import -trustcacerts -file "/tmp/EnterpriseCA.cer" -trustcacerts -noprompt -keystore $keystore -storepass $keystorpass -alias AD-Enterprise-CA

 

 

And finally import the webserver certificate :

 

$keytool -import -alias tomcat -keystore $keystore -storepass $keystorpass -file /tmp/$hostname.cer

 

 

Restart adminconsole :

 

rcnovell-adminconsole restart

 

 

You should now be able to use any browser without certificate warnings… 

maybe you have to clear the HSTS cache in browser.. 

Don't forget to clean up the files after:

 

rm /tmp/EnterpriseCA.cer
rm /tmp/RootCA.cer
rm /tmp/$hostname.csr 
rm /tmp/$hostname.cer

 

 

good luck // Magnus

0 Likes
3 Replies
-Magnus- Super Contributor.
Super Contributor.

Re: Management Certificate Expired

Jump to solution

Hi ,

I use to use  this commands  to create a certificate that I sign with our EnterpriseCA. (written for Nam appliances…) maybe It will point you in the right direction (dont forget to change dns domain)

Set up some varables:

 

now=$(date +"%Y_%m_%d")
hostname=$(hostname)
keytool=$(find /opt/ -executable -type f | grep keytool | head -n 1)
keystore=/var/opt/novell/novlwww/.keystore
keystorpass=$(grep 'NIDP_Name="connector"' /opt/novell/nam/adminconsole/conf/server.xml | sed 's/^.*keystorePass=\"//' | sed 's/\".*$//')

 

Backup keystore:

 

cp $keystore $keystore-backup-$now

 

 Change name on previous certs in keystore:

 

$keytool -delete -keystore $keystore -storepass $keystorpass -alias del-tomcat
$keytool -changealias -keystore $keystore -storepass $keystorpass -alias tomcat -destalias del-tomcat

 

Create private key:

 

$keytool -genkey -v -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keysize 4096 -dname "CN=$hostname.corp.com, O=NA, L=NA, ST=NA, C=COM" -ext SAN=dns:$hostname,dns:$hostname.corp.com -validity 3650 -keystore $keystore -storepass $keystorpass

 

 

Just to verify :

 

$keytool -list -keystore $keystore -storepass $keystorpass

 

Create csr :

 

touch /tmp/$hostname.csr 
$keytool -certreq -v -alias tomcat -ext SAN=dns:$hostname,dns:$hostname.corp.com -file /tmp/$hostname.csr -keystore $keystore -storepass $keystorpass

 

 

Verify csr (contains san)

 

$keytool -printcertreq -file /tmp/$hostname.csr -v

 

 

Just for to generate the windows commands to execute on CA server (change template name ) :

 

echo certreq.exe -attrib CertificateTemplate:WebServer $hostname.csr $hostname.cer

 

 

Copy Csr and then run the command above on a Windows Eneterprise CA.

Get your Enterprise root and intermidiate cert from https://certserver.corp.com/certsrv/certcarc.asp

bring the root ca's and cer file over to /tmp and run this to import ca public certs in to keystore. 

 

$keytool -changealias -keystore $keystore -storepass $keystorpass -alias AD-Root-CA -destalias old-AD-Root-CA
$keytool -changealias -keystore $keystore -storepass $keystorpass -alias AD-Enterprise-CA -destalias old-AD-Enterprise-CA
$keytool -import -trustcacerts -file "/tmp/RootCA.cer" -trustcacerts -noprompt -keystore $keystore -storepass $keystorpass -alias AD-Root-CA
$keytool -import -trustcacerts -file "/tmp/EnterpriseCA.cer" -trustcacerts -noprompt -keystore $keystore -storepass $keystorpass -alias AD-Enterprise-CA

 

 

And finally import the webserver certificate :

 

$keytool -import -alias tomcat -keystore $keystore -storepass $keystorpass -file /tmp/$hostname.cer

 

 

Restart adminconsole :

 

rcnovell-adminconsole restart

 

 

You should now be able to use any browser without certificate warnings… 

maybe you have to clear the HSTS cache in browser.. 

Don't forget to clean up the files after:

 

rm /tmp/EnterpriseCA.cer
rm /tmp/RootCA.cer
rm /tmp/$hostname.csr 
rm /tmp/$hostname.cer

 

 

good luck // Magnus

0 Likes
-Magnus- Super Contributor.
Super Contributor.

Re: Management Certificate Expired

Jump to solution

You mentioned that you cant access the /nps portal , are you sure that it is not just a HSTS problem ? have you tried the ip adress instead of hostname ?

0 Likes
ianp123
New Member.

Re: Management Certificate Expired

Jump to solution

Thanks! It was the keystore file I couldn't find. Once I replaced it with one that contained my wildcard cert I was good again.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.