Sentinel Using Externally Signed Certificates

By default Sentinel creates a self-signed certificate which would be valid for 100 years. Due to security reasons we should sign the SSL certificate with Certificate Authority.

This document describes the steps involved in creating a custom certificate for Sentinel with the third-party CA.

I am using a free SSL Trial of external Certificate Authority (Thawte) here for testing.

Step 1:

Creating the Certificate Signing Request

/opt/novell/sentinel/jdk/jre/bin/keytool -genkey -alias webserver -validity 365 -storetype JKS -keyalg RSA -keysize 2048 -storepass password -keypass password -keystore .webserverkeystore.jks -dname "CN=server1.Atlas.com,OU=Security, O=Microfocus.com, L=Vienna, ST=Washington, C=US" -ext san=dns:server1.Atlas.com,dns:server2.Atlas.com && /opt/novell/sentinel/jdk/jre/bin/keytool -certreq -alias webserver -file .webserverkeystore.csr -keystore .webserverkeystore.jks -storepass password

Note:

• The above command generates a Certificate Signing Request (CSR), using the PKCS#10 format.



• A CSR is intended to be sent to a certificate authority (CA). The CA will authenticate the certificate requestor (usually off-line) and will return a certificate or certificate chain, used to replace the existing certificate chain (which initially consists of a self-signed certificate) in the keystore.

Step 2:

Getting a Signed Certificate

alt="ca10" width="500" height="256" />

Step 3:

Check your inbox for an email from Thawte.

This email will contain your signed certificate, intermediate certificate and root certificate.

Importing the Signed Certificates and Root Certificate into Sentinel truststore

Step 4:

Now we need to import these certificates into .webserverkeystore.jks keystore generated in the step #1 and the certificates copied in the step #3.

1. Copy the .webserverkeystore.jks file (generated in step#1) and the certificates saved in the step#3 to Sentinel server.


2. Backup the default self-signed certificate:
   Command:
   

   mv /etc/opt/novell/sentinel/config/.webserverkeystore.jks /etc/opt/novell/sentinel/config/.webserverkeystore.jks_bkp



3. Copy the .webserverkeystore.jks file mentioned in the point#1 to /etc/opt/novell/sentinel/config/
   Command:
   

   cp .webserverkeystore.jks /etc/opt/novell/sentinel/config/

   
   Note: make sure this file has novell permission.


4. Import the intermediate certificate first --> then the root certificate --> and then the signedcert

• Command to import intermediate certificate:
  

  /opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias inter -file /opt/cert/intermediate.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password

• Command to import root certificate:
  

  /opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias root -file /opt/cert/root.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password

• Command to import signedcert:
  

  /opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias webserver -file /opt/cert/signedcert.pem -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password

• The intermediate and root certificate should have different alias names, but the signed certificate should be imported with the same alias that was used while creating a certificate pair.



• After importing all three certificates you should see : " Certificate reply was installed in keystore " message.

Step 5:

1. Now list the keystore and check if all the certificates are imported successfully.
   Command:
   

   /opt/novell/sentinel/jdk/jre/bin/keytool -list  -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password



2. To get a detailed output:
   Command:
   

   /opt/novell/sentinel/jdk/jre/bin/keytool -list -v -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password

Note:

Check for the following in the detailed output:

Step 6:

Step 7: