Absent Member.
Absent Member.
5737 views

SSL Certificate question

I have Filr up and running (yay), but am trying to install our own GoDaddy wildcard certificate into the Web Application configuration.
In Filr I get 2 options to import, Trusted Cert, or Key Pair. I have our .crt, a bundle.crt (certificate chain), and our .key file.
I have managed to import our crt file (it shows up in the list), but cannot seem to make it active, even after I reboot the appliance, the browser continues to give me a certificate error .

Any ideas, I can't see anything in the docs yet.
0 Likes
10 Replies
Absent Member.
Absent Member.

mickers wrote:
>
> I have Filr up and running (yay), but am trying to install our own
> GoDaddy wildcard certificate into the Web Application configuration.
> In Filr I get 2 options to import, Trusted Cert, or Key Pair. I have
> our .crt, a bundle.crt (certificate chain), and our .key file.
> I have managed to import our crt file (it shows up in the list), but
> cannot seem to make it active, even after I reboot the appliance, the
> browser continues to give me a certificate error .
>
> Any ideas, I can't see anything in the docs yet.
>


I finally got this working for a client – though not through the
appliance interface, had to use the appliance command line. Note this
was on a beta version, not release.

I converted the Godaddy cert + intermediate bundle to a pkcs#7 format
and saved that on the appliance as filr.pk7

Then from the command line I went to the /vastorage/conf/certs
directory, and directly added the certificate to the keystore with:

keytool –import –keystore .keystoredb –alias filr –file filr.pk7

With a reload of the certificate store, I could then see the signed
certificate and get it set as the default cert for the web applications.

H.



0 Likes
Absent Member.
Absent Member.

On Wed, 01 May 2013 13:06:30 GMT, Haitch <hamish@haitch.net> wrote:

Missing in the docs:

Generate a p12 file: openssl pkcs12 -export -in filrbox.crt -inkey
filrbox.key -certfile PositiveSSLCA2.crt -out filrbox.p12

In my case, the cert is from PositiveSSL

Import the crt and p12 cert in the appliance in the vaadmin console:
Appliance System Configuration -> Digital Certificates -> Web
Application Certificates and then set it to active.
Restart the filr service and it works 🙂



0 Likes
Absent Member.
Absent Member.

mickers;2261181 wrote:
I have Filr up and running (yay), but am trying to install our own GoDaddy wildcard certificate into the Web Application configuration.
In Filr I get 2 options to import, Trusted Cert, or Key Pair. I have our .crt, a bundle.crt (certificate chain), and our .key file.
I have managed to import our crt file (it shows up in the list), but cannot seem to make it active, even after I reboot the appliance, the browser continues to give me a certificate error .

Any ideas, I can't see anything in the docs yet.


Import the both your trusted .crt then import you bundle.crt. Then import you .key file as a key pair and activate the key file.
0 Likes
Absent Member.
Absent Member.

Thanks, managed to get this done. For some reason i was reading the menu as 'either' Trusted Cert or Key Pair, as opposed to requiring both.
I have it working on the Filr VM, not yet on DB and Search.
I eventually found it in section 7.4.2 of the Docs (don't remember which section, just jotted this down for reference). Has anyone else been able to search the online docs for Filr, in the newer format? I had to download the PDF to search for the certificate stuff.

Thanks for the replies.
0 Likes
Absent Member.
Absent Member.

Thanks for the insight above. For the record, I was also able to get this working using a godaddy wildcard cert.

openssl pkcs12 -export -in domain.com.crt -inkey domain.com.key -certificate gd_bundle.crt -out domain.com.p12

Imported the .crt file as a trusted certificate and the .p12 file as a key pair. Made the key pair active and rebooted. All is good.

Lee
Optimal Solutions : Systems Engineering, IP Surveillance and Digital Video Distribution
0 Likes
Absent Member.
Absent Member.

In fact the correct command is:

openssl pkcs12 -export -in certificate.crt -inkey private.key -certificate gd_bundle.crt -out domain.com.p12

In fact only domain.com.p12 keypair is needed to import & select as default
(instructions on the import page would be a logical help to have!)

Seb
0 Likes
Absent Member.
Absent Member.

one question regarding the wildcard certificate:

i have the signed certificate and the certificate chain. But I do not have a key file. Do I need to generate one ? via openssl or via web gui ?
0 Likes
Absent Member.
Absent Member.

You should already have a private key that was created / used when a CSR was created. Most the time you can find your private key, on the servers using the wildcard.

If you are unable to find your private key, you could always re-key your certificate.. But the re-keyed certificate would need to be re-applied, to all your servers using that wildcard.

More on a rekeying from GoDaddy:
https://www.godaddy.com/help/rekey-certificate-4976

Shane Nielson Kind of alright at doing stuff with the computer thing
0 Likes
Absent Member.
Absent Member.

i did create the CSR on another server (exchange)

Should i export the cert in .pfx and then move it to the filr appliance ?
0 Likes
Absent Member.
Absent Member.

1. exported my signed cert from the server where csr was generated. Out file in .pfx format
2. Openssl.exe pkcs12 -in wildcard.pfx -nocerts -out priv.pem
3. Openssl.exe rsa -in priv.pem -out nopass.key
4. openssl pkcs12 -inkey nopass.key -in wildcard.crt -export -out Filr_Keypair.pkcs12
5. then on filr web gui, import key pair and point to pkcs12 file
6. mark the key pair as active
7. import trusted certificate and point to the certificate chain
8. mark again the key pair and click update certificate chain
9. reboot filr appliance

https://www.novell.com/support/kb/doc.php?id=7014775
https://support.software.dell.com/de-de/sonicwall-email-security/kb/sw10754
https://wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.