Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 5 subscribers
  • Views 15546 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMC 3.x New Installation -- How to create a certificate request?

BrucekConvergent

Doing an installation of SMC 3.0.0.6, and want to use a trusted issuer certificate so that Android phones witll work properly with this... but, no GUI or instructions (anywhere that I can find, KB, docs, etc.) on how to generate a proper CSR request that will leave me with the private key needed to import a cert into the system during setup.  My cert provider had a procedure for Tomcat, and that seemed to halfway work (keytool was there)... but I don't have a .pem file to "feed' the install wizard when it prompts for it.  This should really be documented better.

Anyway, anyone have a clue?

:39695


This thread was automatically locked due to age.
Parents
  • 0

    After posting the steps provided by Sophos I thought I'd give this a whirl myself. Well, after a few failed attempts (mainly with Step C) I managed to get it all up and running....

    Beforehand I’’’’d like to point out our environment as you may need to change the directories in the example below to match your set-up:

    1. We are already running SMC version 3.0.0.6 (so it’’’’s been set-up using a self signed cert)
    2. Server is Windows 2012 Standard x64
    3. Java v7.x
    4. We downloaded the Root and Intermediate cert files from the signing CA.
    5. We are not using wildcards certs (See above post if you need notes on this)

    NB. Some CA’’’’s chain the Root and Intermediate certs together.

    So, onwards and upwards...

    For the purpose of this example we'll call the domain smc.domain.com

    NB: Please run the following steps from the Sophos Mobile Control server as the local or domain administrator. 

    Step A - Create a new keystore

    You will be using the keytool command to create your new key-CSR pairing...

     

    1. From the ‘‘‘‘C:\Program Files\Java\jre7\bin’’’’ directory on the Sophos SMC Server enter the following at the command prompt: 
    • keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore smc.domain.com.jks

     

    2.    Enter a keystore password (make note of this password for future use)

    3.    You will be prompted for the DN information. 

    4.    Please note: when it asks for first and last name, this is not YOUR first and last name, but rather your domain name and extension (i.e., smc.domain.com).

    5.    Confirm that the information is correct by entering 'y' or 'yes' when prompted. Next you will be asked for your password to confirm. Make sure to remember the password you choose. 

    Step B - Generate your CSR with your new keystore

    Next, use keytool to actually create the Certificate Signing Request...

     

    1. From the ‘‘‘‘C:\Program Files\Java\jre7\bin’’’’ directory on the Sophos SMC Server enter the following at the command prompt: 
    • keytool -certreq -alias server -keyalg RSA -file smc.domain.com.csr -keystore smc.domain.com.jks

     

    2.    Enter the keystore password.

    3.    Then the SSL Certificate CSR file is created and ready to be submitted to your web hosting provider.  - Just open the smc.domain.com.csr file in the ‘‘‘‘C:\Program Files\Java\jre7\bin’’’’ directory using something like notepad and copy all the text and submit this to your Certificate Authority.

    Step C - Generating your Private Key file from your new keystore

    Generate  the RSA private key from your keystore file...

     

    1. From the ‘‘‘‘C:\Program Files\Java\jre7\bin’’’’ directory on the Sophos SMC Server enter the following at the command prompt: 
    • keytool -v -importkeystore -srckeystore smc.domain.com.jks -srcalias server -destkeystore smc.domain.com.p12 -deststoretype PKCS12

     

    2.    Enter a private key password (make note of this password for future use)

    3.    Enter the keystore password set in Step A2 above.

    !  [Storing smc.domain.com.p12] message appears if successful.

    Open open the P12 file in order to copy the RSA private key information to your .key file....

     

    4.    Copy the ‘‘‘‘smc.domain.com.p12’’’’ file from ‘‘‘‘C:\Program Files\Java\jre7\bin’’’’ directory to: ‘‘‘‘C:\Program Files (x86)\Sophos\Sophos Mobile Control\tools\Wizard\certs’’’’

    5.    From the ‘‘‘‘C:\Program Files (x86)\Sophos\Sophos Mobile Control\tools\Wizard\certs’’’’ directory enter the following command:

    • openssl pkcs12 -in smc.domain.com.p12 -nocerts –nodes

     

    6.    Enter the private key password you set in Set C2 above.

    ! This will display your RSA Private Key information:

    7.    Next you will need to copy the RSA Private Key text (see example in PINK below) and paste it into a text file.

    -----BEGIN RSA PRIVATE KEY-----

    MIIEogIBAAKCAQEAmfGKdW9CKagNYjS0lLa2M0WdeHmyJJrakB+3kGG1VRuKQUBF

    U+lsdw5rjfMKQ24+tsA939k8LU/o7leK6l8CYxcuoA5fWzfuxwmFLw1WLPw6kSPL

    oFND7FK9few6KNOz9OSAFOF1HyFu+jcZSNd0OxTNkbDu5dM/YKlrw1LqwAMi0X3Z

    WXYwmdEFMfLvRvq0Gn8YNe/dg/rxYMnDat6h+SUj2IQILlPMw3nZkoGS5rr4Kwv1

    KH1E1jWz5nsETrUoLNkaUpu/wDwQxg+wQhJgV8gHzNPykGQfgF4oW7bloGS5rr4K

    Ephx1sECgYEAxyw2vHnaiAVtlXt2a2AVnOeZ4GTCyx0TMeKoyASyH+dh0qLWMHjR

    4vkI55wy9dK0ig2BMuZ0jKdTxBj7OjwIClqflwmq7E7UIukN+dYnXo/k+xQiQqGh

    uJGHryKmOkbgoLmFEGjjRU1NL05SSPkTlcOl2l9aHJo2iTlagpP0SuNl1IY5jZbH

    A4a5/2SydBHj5A9RS5sIqrpMG5uJLV/GtH83i7sCgYA/lKywhBGv5FO0KWKHKngb

    y49Co8fYRi8pvZoR4ollsDtJRSAJWJlTfMx8yK3FpHyXw1CFxaMF7K5n3BtgBpqH

    KH1Ex8yKHes43c2BMuZ0jKdTxBj7OjwIClqflwmq7E7UIukN+dYnXo/k+xQiQqGh

    uJGHryKmOkbg2BMuZ0jKdTxBjoGS5rr4KwoGS5rr4KwoGS5rr4KwoGS5rr4KwoGS

    A4a5/2SydBHj5A9RS5sIqrpMG5uJLV/GtH83i7sCgYA/lKywhBGv5FO0KWKHKngb

    y49Co8fYRi8pvZoR4ollsDtJRSAJWJoLmFEGjjRU1NL05SSPkTlcOl2l9aHJo2iT

    A4a5/2SydBHj5A9RS5sIqrpMG5uJLV/GtH83i7sCgYA/lKywhBGv5FO0KWKHKngb

    y49Co8fYRi8pvZoR4ollsDtJRSAJWJyx0TMeKoyASyH+dh0qLWMHjRICZpoXdVxC

    A8GbKQ6F+qcW4/UqzKyClwKBgEYSTc/N9RKMeKoyASyH+dh0qLWMHjRICZpoXdVx

    A8GbKQ6F+qcW4/UqzKyClwKBgEYSTc/N9RKirjTgE/SgaODSTiEtKpcQMPZVhUnX

    o1QPgtcyVqnAGQe9Xg3vOyt7IOInE8qD1iSCTMTSJEoGS5rr4KwoGS5rr4KwoGS5

    4vkI55wy9dK0igyy515GgX8AGpXKYeM1CgbYDbZxoGS5rr4KwoGS5rr4KwoGS5rr

    WJAbi11eWT/3usxUa+LQIK5OJgfkx6neV+fM5INU4G3q5VW3X20GgCQVn4xaMPZj

    sBOSmw3wCwoztnrxvJzcxQ4rbqxWzinQh4QLfCsgvszgI9EbmUkk6pkITt8zwOHg

    /6HLAoGAG7J6lnapJLT55KDZS3RjpNFjJzjkJbmMtNfS7v39h9rtrHgaAX1ITTSa

    8GrmvLz78dXW+kIsh8l5Mwhvjax8X+BrjHikxcFjkg+wy/oGAJU+VJUgU+xJ5Q8D

    VLS0zWk5jwNw5vbCmGxWtmV6EXQVbVr44jLpjYA+6mHYiBhVUxg=J5Q8DJ5Q8D77

    -----END RSA PRIVATE KEY-----

    8.    Name this text file smc.domain.com.key and save to ‘‘‘‘C:\Program Files (x86)\Sophos\Sophos Mobile Control\tools\Wizard\certs’’’’

    Step D – Add the signed CA certificate to the Sophos Mobile Control solution

    1. Run the Sophos Mobile Control installer again
    2. Click Yes when prompted to confirm you want to reconfigure the database
    3. Click Yes to confirm that you want to stop the service
    4. Skip the database configuration
    5. Select the option to Configure Service Certificate
    6. Choose the option to Import a certificate from a trusted provider
    7. From the drop down choose to import the separate files (I forgot the wording)
    8. Import the signed certificate you should have received back from your trusted CA. (Normally a .crt file with your domain in it, E.g. smc.domain.com.crt)
    9. Import the smc.domain.com.key private key file from ‘‘‘‘C:\Program Files (x86)\Sophos\Sophos Mobile Control\tools\Wizard\certs’’’’ (Created in Step C5 above)
    10.  Import the Trusted CA Root certificate and if needed the Trusted CA Intermediate certificate. As mentioned before, some CA’’’’s bundle these as one .crt file. If so, just add this to the Root CA option in the wizard.
    11.  Enter the private key password
    12. Follow the wizard to the end and once the services have successfully started you should now have https://smc.domain.com up and running with a signed SSL certificate.

    Happy days,

    Kind regards,

    John

    P.S. Please feel free to update this thread if I've made any errors, and I will correct the post accordingly.

    :40667
Reply
  • 0

    After posting the steps provided by Sophos I thought I'd give this a whirl myself. Well, after a few failed attempts (mainly with Step C) I managed to get it all up and running....

    Beforehand I’’’’d like to point out our environment as you may need to change the directories in the example below to match your set-up:

    1. We are already running SMC version 3.0.0.6 (so it’’’’s been set-up using a self signed cert)
    2. Server is Windows 2012 Standard x64
    3. Java v7.x
    4. We downloaded the Root and Intermediate cert files from the signing CA.
    5. We are not using wildcards certs (See above post if you need notes on this)

    NB. Some CA’’’’s chain the Root and Intermediate certs together.

    So, onwards and upwards...

    For the purpose of this example we'll call the domain smc.domain.com

    NB: Please run the following steps from the Sophos Mobile Control server as the local or domain administrator. 

    Step A - Create a new keystore

    You will be using the keytool command to create your new key-CSR pairing...

     

    1. From the ‘‘‘‘C:\Program Files\Java\jre7\bin’’’’ directory on the Sophos SMC Server enter the following at the command prompt: 
    • keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore smc.domain.com.jks

     

    2.    Enter a keystore password (make note of this password for future use)

    3.    You will be prompted for the DN information. 

    4.    Please note: when it asks for first and last name, this is not YOUR first and last name, but rather your domain name and extension (i.e., smc.domain.com).

    5.    Confirm that the information is correct by entering 'y' or 'yes' when prompted. Next you will be asked for your password to confirm. Make sure to remember the password you choose. 

    Step B - Generate your CSR with your new keystore

    Next, use keytool to actually create the Certificate Signing Request...

     

    1. From the ‘‘‘‘C:\Program Files\Java\jre7\bin’’’’ directory on the Sophos SMC Server enter the following at the command prompt: 
    • keytool -certreq -alias server -keyalg RSA -file smc.domain.com.csr -keystore smc.domain.com.jks

     

    2.    Enter the keystore password.

    3.    Then the SSL Certificate CSR file is created and ready to be submitted to your web hosting provider.  - Just open the smc.domain.com.csr file in the ‘‘‘‘C:\Program Files\Java\jre7\bin’’’’ directory using something like notepad and copy all the text and submit this to your Certificate Authority.

    Step C - Generating your Private Key file from your new keystore

    Generate  the RSA private key from your keystore file...

     

    1. From the ‘‘‘‘C:\Program Files\Java\jre7\bin’’’’ directory on the Sophos SMC Server enter the following at the command prompt: 
    • keytool -v -importkeystore -srckeystore smc.domain.com.jks -srcalias server -destkeystore smc.domain.com.p12 -deststoretype PKCS12

     

    2.    Enter a private key password (make note of this password for future use)

    3.    Enter the keystore password set in Step A2 above.

    !  [Storing smc.domain.com.p12] message appears if successful.

    Open open the P12 file in order to copy the RSA private key information to your .key file....

     

    4.    Copy the ‘‘‘‘smc.domain.com.p12’’’’ file from ‘‘‘‘C:\Program Files\Java\jre7\bin’’’’ directory to: ‘‘‘‘C:\Program Files (x86)\Sophos\Sophos Mobile Control\tools\Wizard\certs’’’’

    5.    From the ‘‘‘‘C:\Program Files (x86)\Sophos\Sophos Mobile Control\tools\Wizard\certs’’’’ directory enter the following command:

    • openssl pkcs12 -in smc.domain.com.p12 -nocerts –nodes

     

    6.    Enter the private key password you set in Set C2 above.

    ! This will display your RSA Private Key information:

    7.    Next you will need to copy the RSA Private Key text (see example in PINK below) and paste it into a text file.

    -----BEGIN RSA PRIVATE KEY-----

    MIIEogIBAAKCAQEAmfGKdW9CKagNYjS0lLa2M0WdeHmyJJrakB+3kGG1VRuKQUBF

    U+lsdw5rjfMKQ24+tsA939k8LU/o7leK6l8CYxcuoA5fWzfuxwmFLw1WLPw6kSPL

    oFND7FK9few6KNOz9OSAFOF1HyFu+jcZSNd0OxTNkbDu5dM/YKlrw1LqwAMi0X3Z

    WXYwmdEFMfLvRvq0Gn8YNe/dg/rxYMnDat6h+SUj2IQILlPMw3nZkoGS5rr4Kwv1

    KH1E1jWz5nsETrUoLNkaUpu/wDwQxg+wQhJgV8gHzNPykGQfgF4oW7bloGS5rr4K

    Ephx1sECgYEAxyw2vHnaiAVtlXt2a2AVnOeZ4GTCyx0TMeKoyASyH+dh0qLWMHjR

    4vkI55wy9dK0ig2BMuZ0jKdTxBj7OjwIClqflwmq7E7UIukN+dYnXo/k+xQiQqGh

    uJGHryKmOkbgoLmFEGjjRU1NL05SSPkTlcOl2l9aHJo2iTlagpP0SuNl1IY5jZbH

    A4a5/2SydBHj5A9RS5sIqrpMG5uJLV/GtH83i7sCgYA/lKywhBGv5FO0KWKHKngb

    y49Co8fYRi8pvZoR4ollsDtJRSAJWJlTfMx8yK3FpHyXw1CFxaMF7K5n3BtgBpqH

    KH1Ex8yKHes43c2BMuZ0jKdTxBj7OjwIClqflwmq7E7UIukN+dYnXo/k+xQiQqGh

    uJGHryKmOkbg2BMuZ0jKdTxBjoGS5rr4KwoGS5rr4KwoGS5rr4KwoGS5rr4KwoGS

    A4a5/2SydBHj5A9RS5sIqrpMG5uJLV/GtH83i7sCgYA/lKywhBGv5FO0KWKHKngb

    y49Co8fYRi8pvZoR4ollsDtJRSAJWJoLmFEGjjRU1NL05SSPkTlcOl2l9aHJo2iT

    A4a5/2SydBHj5A9RS5sIqrpMG5uJLV/GtH83i7sCgYA/lKywhBGv5FO0KWKHKngb

    y49Co8fYRi8pvZoR4ollsDtJRSAJWJyx0TMeKoyASyH+dh0qLWMHjRICZpoXdVxC

    A8GbKQ6F+qcW4/UqzKyClwKBgEYSTc/N9RKMeKoyASyH+dh0qLWMHjRICZpoXdVx

    A8GbKQ6F+qcW4/UqzKyClwKBgEYSTc/N9RKirjTgE/SgaODSTiEtKpcQMPZVhUnX

    o1QPgtcyVqnAGQe9Xg3vOyt7IOInE8qD1iSCTMTSJEoGS5rr4KwoGS5rr4KwoGS5

    4vkI55wy9dK0igyy515GgX8AGpXKYeM1CgbYDbZxoGS5rr4KwoGS5rr4KwoGS5rr

    WJAbi11eWT/3usxUa+LQIK5OJgfkx6neV+fM5INU4G3q5VW3X20GgCQVn4xaMPZj

    sBOSmw3wCwoztnrxvJzcxQ4rbqxWzinQh4QLfCsgvszgI9EbmUkk6pkITt8zwOHg

    /6HLAoGAG7J6lnapJLT55KDZS3RjpNFjJzjkJbmMtNfS7v39h9rtrHgaAX1ITTSa

    8GrmvLz78dXW+kIsh8l5Mwhvjax8X+BrjHikxcFjkg+wy/oGAJU+VJUgU+xJ5Q8D

    VLS0zWk5jwNw5vbCmGxWtmV6EXQVbVr44jLpjYA+6mHYiBhVUxg=J5Q8DJ5Q8D77

    -----END RSA PRIVATE KEY-----

    8.    Name this text file smc.domain.com.key and save to ‘‘‘‘C:\Program Files (x86)\Sophos\Sophos Mobile Control\tools\Wizard\certs’’’’

    Step D – Add the signed CA certificate to the Sophos Mobile Control solution

    1. Run the Sophos Mobile Control installer again
    2. Click Yes when prompted to confirm you want to reconfigure the database
    3. Click Yes to confirm that you want to stop the service
    4. Skip the database configuration
    5. Select the option to Configure Service Certificate
    6. Choose the option to Import a certificate from a trusted provider
    7. From the drop down choose to import the separate files (I forgot the wording)
    8. Import the signed certificate you should have received back from your trusted CA. (Normally a .crt file with your domain in it, E.g. smc.domain.com.crt)
    9. Import the smc.domain.com.key private key file from ‘‘‘‘C:\Program Files (x86)\Sophos\Sophos Mobile Control\tools\Wizard\certs’’’’ (Created in Step C5 above)
    10.  Import the Trusted CA Root certificate and if needed the Trusted CA Intermediate certificate. As mentioned before, some CA’’’’s bundle these as one .crt file. If so, just add this to the Root CA option in the wizard.
    11.  Enter the private key password
    12. Follow the wizard to the end and once the services have successfully started you should now have https://smc.domain.com up and running with a signed SSL certificate.

    Happy days,

    Kind regards,

    John

    P.S. Please feel free to update this thread if I've made any errors, and I will correct the post accordingly.

    :40667
Children
No Data
Unfiltered HTML