Sentinel with wildcard certificate using Organizational CA

Sentinel with wildcard certificate using Organizational CA

Why wildcard certificate?

A general description and advantage of the wildcard, is that the same certificate can be used for multiple subdomains of a domain. It will be cheaper and more convenient, rather than buying a certificate for each domain.

A single wildcard certificate for *.Atlas.com, will secure all these domains:

  • testing.Atlas.com

  • development.Atlas.com

  • intranet.Atlas.com

  • www.Atlas.com


Instead of getting separate certificates for subdomains, you can use a single certificate for all main domains and subdomains and save your money.

Let's start and see how to configure the wildcard certificate with Sentinel Server (webserver). In my example, I will be using the Microsoft Windows 2008 R2 as Certificate Authority to get my CSR signed.

Step 1:

Create a certificate pair using java keytool genkeypair command:

Command:

/opt/novell/sentinel/jdk/jre/bin/keytool -genkey -alias webserver -validity 365 -storetype JKS -keyalg RSA -keysize 2048 -storepass password -keypass password -keystore .webserverkeystore.jks -dname "CN=*.Atlas.com,OU=Security, O=Microfocus.com, L=Vienna, ST=Washington, C=US"  && /opt/novell/sentinel/jdk/jre/bin/keytool -certreq -alias webserver -file .webserverkeystore.csr -keystore .webserverkeystore.jks -storepass password


Step 2:

Get the CSR signed by the organizational CA, in our case Windows 2008 R2 server.

Pre-requisite:

  1. Make sure you have installed the Certificate Authority and IIS services with web access.


Steps to get your CSR signed.

  1. Browse to your internal CA web enrollment pages.

  2. Select the Request a certificate.

    w1

  3. Select advanced certificate request.

    w2

  4. Select the Submit a certificate request link.

    w3

  5. Open the previously created request file in notepad and copy all the data in it to clipboard.Past the clipboard into the Saved Request box.
    Select the web server template.
    Click submit.

    w4

  6. When the CA has done it’s job it will offer you the ability to download the certificate.
    Select Base 64 and select Download certificate.

    w5


Step 3:

Download the root ca certificate.

  1. Select Download CA certificate, certificate chain, or CRL.

    w6

  2. Select Base 64 and select Download CA certificate.

    w7



Step 4:

Now we need to use the .webserverkeystore.jks keystore generated in step #1 and import the certificates generated/downloaded in step #2 and step #3.

  1. Copy the .webserverkeystore.jks file (generated in step#1), rootca and signed certificate (step #2 and step #3) to Sentinel server.

  2. Backup the default self-signed certificate:
    Command:
    mv /etc/opt/novell/sentinel/config/.webserverkeystore.jks /etc/opt/novell/sentinel/config/.webserverkeystore.jks_bkp

  3. Copy the .webserverkeystore.jks file mentioned in the point#1 to /etc/opt/novell/sentinel/config/
    Command:
    cp .webserverkeystore.jks /etc/opt/novell/sentinel/config/

    Note: make sure this file has Novell permission.

  4. Import the Root CA and signed certificate into .webserverkeystore.jks keystore.
    Command:
    /opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias rootca -file /opt/cert/rootca.cer -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password

    Command:
    /opt/novell/sentinel/jdk/jre/bin/keytool -importcert -alias webserver -file /opt/cert/certnew.cer -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password


Step 5:

  1. Now list the keystore and check if all the certificates are imported successfully.
    Command:
    /opt/novell/sentinel/jdk/jre/bin/keytool -list  -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password

  2. To get a detailed output:
    Command:
    /opt/novell/sentinel/jdk/jre/bin/keytool -list -v -keystore /etc/opt/novell/sentinel/config/.webserverkeystore.jks -storepass password


Note:
Check for the following in the detailed output:
Alias name: webserver
Entry type: PrivateKeyEntry
Certificate chain length: 2

Step 6:

Restart sentinel service
Command:
rcsentinel restart


Step 7:

Import the root certificate in browser of your choice and access Sentinel Server using the FQDN.
Ex: https://server1.atlas.com:8443/

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
Nice article, but should really be using the ./ssl_certs from the /opt/novell/sentinel/setup directory....it'll do all the keystore work.
Thank you!...
I have reviewed the 'ssl_certs' script before using the keytool commands, also this script does not have a control on few additional parameters to specify during the CSR creation. ex: If user want to specify the validity period of the certificate by their own, dname with wildcard DNS,etc,... that's the reason I have used the keytool command directly.

/opt/novell/sentinel/jdk/jre/bin/keytool -genkey -alias webserver -validity 365 -storetype JKS -keyalg RSA -keysize 2048 -storepass password -keypass password -keystore .webserverkeystore.jks -dname "CN=*.Atlas.com,OU=Security, O=Microfocus.com, L=Vienna, ST=Washington, C=US" && /opt/novell/sentinel/jdk/jre/bin/keytool -certreq -alias webserver -file .webserverkeystore.csr -keystore .webserverkeystore.jks -storepass password
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2017-06-28 23:56
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.