We are trying to wrap up the setup process for our testing environment. One of the last steps is to apply an SSL certificate to CA Service Catalog. This has been shown to be problematic.
On our production environment, we used a vendor issued certificate. To appropriately apply this certificate we had to separate all three levels (root, imt, and domain) of the vendor certificate into .CER files. Then import these files directly into a keystore. Pointing the server.xml to the keystore to allow the certificates to run correctly.
However, in the test environment, this appears to be more problematic. The same steps do not appear to work. We are using a self-signed certificate within our test environment instead of a vendor issued certificate. As it is not necessary. I attempted the same steps above. While non-SSL will load fine. I cannot get SSL to load using a wide variety of different attempts to create the keystore. It just spins/and/spins.
I have been able to get SSL to load a couple of times. But it loads the .keystore -genkey file. Which allows the HTTPS to load. But it is not trusted as it was not issued by our domain certificate authority. So that is not a solution. CA Service Catalog works in every other aspect, just having issues with the certificates.
Is there documentation on this? Any help anyone can provide would be much appreciated!
Good Morning Jordan.
Is it correct to say that you also opened a standard case (00932092) for this?
Thanks and kind regards, Louis van Amelsfort.
Yes! But if anyone has any suggestions in the interim I’ll take them.
Good Morning Jordan. Further checking for this, showed me the below SM-wiki pages.I hope you do not mind me asking. But did you check on these already?And when yes, which steps of the procedure did you execute and ran okay? https://docops.ca.com/ca-service-management/14-1/en/implementing/implementing-ca-service-management-14-1/step-7-optional-enable-secured-sockets-layer-ssl-authenticationhttps://docops.ca.com/ca-service-management/14-1/en/administering/configuring-ca-service-catalog/configure-ca-service-catalog-to-use-secure-socket-layerhttps://docops.ca.com/ca-service-management/14-1/en/administering/configuring-unified-self-service/configure-data-sources/how-to-configure-data-sources-to-connect-to-ssl-urls Thanks in advance for your understanding and kind regards, Louis.
I have been working out of:https://docops.ca.com/ca-service-management/14-1/en/admi…
Setting up the data sources are steps after this process has been completed.
I took the original SELF-SIGNED certificate cert50.cer and exported all three layers of the chain into:
From there I created a blank keystore:
keytool -genkey -alias temp -keystore sm.keystore
keytool -delete -alias temp -keystore sm.keystore
From there I imported the three certificates into the keystore:
keytool -importcert -alias ca -file cert50.cer -keystore sm.keystore
keytool -importcert -alias imt -file cert50imt.cer -keystore sm.keystore
keytool -importcert -alias root -file cert50root.cer -keystore sm.keystore
This results in the following:
At this point I edit the server.xml file with the keystore path and the password for the keystore. I have tried using keyAlias and pointing it to every certificate individually within the keystore as well as moving that line all together from the string within the server.xml.
Port 8080 will load. HTTP port we are using.
Port 8180 will not load. HTTPS port we are using.
We have been able to resolve this problem and just wanted to give you the solution in case anyone else runs into a similar set of problems. This is for applying an SSL certification to CATALOG via a keystore using a self-signed certificate that was created via a Microsoft Certificate Authority.
1. Receive original certificate in our case this was a .cer file.
2. Import .cer file into the server's certificate store (run -> certlm.msc).
3. Export .cer file into a .PFX (make sure to include the entire certificate chain in the export). Define password. Save.
4. Take the .PFX file and dump it into the Service Catalog folder.
5. Right click and run as administrative the usm file for windows command prompt located in the Service Catalog folder.
5. Convert the .PFX into a .JKS keystore for Catalog to work with. This can be done by:
keytool -importkeystore -deststorepass changeit -destkeystore <hostname>.jks -srckeystore c:\certs\<hostname>.pfx -srcstoretype PKCS12 -srcstorepass changeit
6. Verify the import with the following command:
keytool -list -keystore <hostname>.jks
7. You should see a similar result as this:
8. Extract the ROOT certificate from the original .CER file by selecting it out of the chain. Export via an x509 which should export as a .CER file. Dump this file into the Service Catalog folder.
9. Import the root certificate into the keystore above using the following command:
keytool -import -trustcacerts -alias root -file c:\certs\rootCert.cer -keystore <hostname>.jks
10. You should see a similar result as this:
11. Add the variables indicated in the SSL setup instructions into the server.xml. I did not require the use of the keyAlias variable with the HTTPS string.
12. Test your ability to load HTTPS.
This resolved my problem. Thanks to Jason_Wolfe for doing the ground work.
Glad to help Jordan, thanks for closing the loop here!