Sentinel Using Externally Signed Certificates

Sentinel Using Externally Signed Certificates

By default Sentinel creates a self-signed certificate which would be valid for 100 years. Due to security reasons we should sign the SSL certificate with Certificate Authority.



This document describes the steps involved in creating a custom certificate for Sentinel with the third-party CA.



I am using a free SSL Trial of external Certificate Authority (Thawte) here for testing.



Step 1:


Creating the Certificate Signing Request



/opt/novell/sentinel/jdk/jre/bin/keytool -genkey -alias webserver -validity 365 -storetype JKS -keyalg RSA -keysize 2048 -storepass password -keypass password -keystore .webserverkeystore.jks -dname "CN=server1.Atlas.com,OU=Security, O=Microfocus.com, L=Vienna, ST=Washington, C=US" -ext san=dns:server1.Atlas.com,dns:server2.Atlas.com && /opt/novell/sentinel/jdk/jre/bin/keytool -certreq -alias webserver -file .webserverkeystore.csr -keystore .webserverkeystore.jks -storepass password


Note:




  • The above command generates a Certificate Signing Request (CSR), using the PKCS#10 format.


  • A CSR is intended to be sent to a certificate authority (CA). The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.


Step 2:


Getting a Signed Certificate



Go to your third party CA website Eg: http://www.thawte.com/

I am using a free SSL Trial here for testing.

ca4



ca5



ca6



ca7



ca8



ca9



<img class="alignnone size-medium wp-image-95473" src="https://www.netiq.com/communities/cool-solutions/wp-content/uploads/sites/2/2017/06/ca10-500x256.png"

alt="ca10" width="500" height="256" />



ca11



Step 3:



Check your inbox for an email from Thawte.



This email will contain your signed certificate, intermediate certificate and root certificate.



ca12



ca13



ca14



ca15



Importing the Signed Certificates and Root Certificate into Sentinel truststore




Step 4:



Now we need to import these certificates into .webserverkeystore.jks keystore generated in the step #1 and the certificates copied in the step #3.



  1. Copy the .webserverkeystore.jks file (generated in step#1) and the certificates saved in the step#3 to Sentinel server.

  2. Backup the default self-signed certificate:
    Command:
    mv /etc/opt/novell/sentinel/config/.webserverkeystore.jks /etc/opt/novell/sentinel/config/.webserverkeystore.jks_bkp

  3. Copy the .webserverkeystore.jks file mentioned in the point#1 to /etc/opt/novell/sentinel/config/
    Command:
    cp .webserverkeystore.jks /etc/opt/novell/sentinel/config/

    Note: make sure this file has novell permission.

  4. Import the intermediate certificate first --> then the root certificate --> and then the signedcert



  • Command to import intermediate certificate:
    /opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias inter -file /opt/cert/intermediate.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password



  • Command to import root certificate:
    /opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias root -file /opt/cert/root.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password



  • Command to import signedcert:
    /opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias webserver -file /opt/cert/signedcert.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password


Note:


  • The intermediate and root certificate should have different alias names, but the signed certificate should be imported with the same alias that was used while creating a certificate pair.


  • After importing all three certificates you should see : " Certificate reply was installed in keystore " message.


Step 5:



  1. Now list the keystore and check if all the certificates are imported successfully.
    Command:
    /opt/novell/sentinel/jdk/jre/bin/keytool -list  -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password

  2. To get a detailed output:
    Command:
    /opt/novell/sentinel/jdk/jre/bin/keytool -list -v -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password


Note:


Check for the following in the detailed output:



Alias name: webserver
Entry type: PrivateKeyEntry
Certificate chain length: 3

Step 6:



Restart sentinel service
Command:
rcsentinel restart

Step 7:



Import the intermediate certificate and the root certificate in browser of your choice and access Sentinel Server using the FQDN.
Ex: https://server1.atlas.com:8443/

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
I get warnings and it didn't work:

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore .webserverkeystore.jks -destkeystore .webserverkeystore.jks -deststoretype pkcs12".

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore .webserverkeystore.jks -destkeystore .webserverkeystore.jks -deststoretype pkcs12".
Warnings are just that, warnings. Have you tried validating the contents of the keystore using the commands in the solution? "it didn't work" means what exactly?
Is it possilbe that the Sentinel Server needs Internet Access? At the moment this is not the case .....
Possibly for CRL/OCSP
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2017-06-22 23:19
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.