In this video, I will discuss how to create
and install a new server certificate for
the Forcepoint Management Infrastructure.
We will go through the following steps.
First we will perform a backup of the
Forcepoint management infrastructure.
Next, we will prepare the Forcepoint Security
manager's server environment, by editing
the openssl.cnf file and
setting the environmental variable for openssl.
We will then generate a certificate key
and certificate signing request.
Finally, we will install the new certificate
and encode the password.
Perform a backup of the Forcepoint Management Infrastructure
Prior to performing the new certificate process,
ensure that a proper Forcepoint Infrastructure
backup has been taken to easily
restore from if issues arise.
To launch an immediate backup,
open Administrative Tools and
select Task Scheduler.
In the Task Scheduler window, select
Task Scheduler Library.
If the Triton backup task is disabled,
right click the task and select enable.
Right click the Triton backup task
and select Run.
Check that the backup has successfully completed
and the files have been saved in C:\EIPbackup
folder.
Prepare the Forcepoint Security Manager Server Environment
Here I am logged onto Forcepoint Security Manage.
I browse through the "conf" folder and
make a backup of the openssl.cnf file
make a backup of the openssl.cnf file
to an external location.
Next we will open this file and
make some changes to it.
I search for "req" and press enter,
and on the very next line
I add:
req_extensions =v3_req
Next I search for "v3_req", press enter
and on the very next line, I add:
subjectAltname = @alt_names
After this, I scroll down right to the
end of the file
and add a new section for
[alt_names], where I will
provide information about my
Forcepoint server.
These additions to openssl.cnf file
will specify the subject alternative
names or "san "
to be included in the certificate signing request
we will be generating in the next section.
In DNS.1, we will
give Fully Qualified Domain Name of
my Forcepoint server.
In DNS.2,
We will give the host name or computer name.
DNS.3 is for the IP address
and IP.1 for any other
IPs I may have assigned to my
server.
Now we will find the values from
our Forcepoint Security Manager server,
to fill in this section of our openssl.cnf file.
Open Server Manager and click on your
computer name.
Here you will find the Fully Qualified Domain
Name of your Forcepoint security Manager
server.
Simply copy the value from here.
We can now paste this value
in DNS.1
DNS.2 is our server's host
name and we can just copy out the host
name part from Fully Qualified Domain
Name and add it here.
For DNS.3. we need the IP
address of our server, which again
we can get from the server manager we have
already got opened.
I do not have any further IPs assigned
to my Forcepoint Security Manager server,
so I will delete the last row.
Add additional DNS or IP values
as needed to cover all the possible
DNS host names and IPs
used by your Forcepoint Manager.
Depending on the signing authority, some
fields may not be necessary or valid,
so confirm with your authority beforehand.
I will also show you how you can gather same
information using command prompt.
To find the host name of your Forcepoint Security
Manager server
simply type command: hostname
To get the IP address of our Forcepoint
security Manager server, we run:
IPconfig
Then we run: ping -a <ip address of our server>
it gives the Fully Qualified Domain Name
of our Forcepoint Security Manager server.
We can use this information to populate
the openssl.cnf file,
same way I showed you earlier.
After making these changes, we can save the file.
Next we will set the openssl executable
as an operating system variable,
pointing to the apache openssl.cnf file.
Open an administrative command prompt
and navigate to the ssl directory.
Use the following command
to set an operating system environmental
variable for openssl_conf
pointing to the apache\openssl.cnf file
pointing to the apache\openssl.cnf file.
Note the path to openssl.cnf
will differ
if the management infrastructure has
been installed to a different location
than the default.
Update this path as necessary.
To confirm that we have set our environmental
variable correctly,
run the following command,
and ensure it returns the correct location.
As we can see our openssl_conf
operating system environmental variable
has been set correctly
to our apache\conf\openssl.cnf path.
Setting up the openssl_conf
can also be done from Control Panel
under System>Environment variables
and giving the EIP Infra\apache\conf\openssl.cnf
as the variable value.
Generate a certificate key and Certificate Signing Request
For creating the Certificate Signing Request
or CSR, first we will generate
the certificate key.
For this we will use command prompt and
ensure that our path is set to the ssl directory.
We will run the command to generate the key
and set its pass phrase.
Here enter pass phrase for the
httpd-server.key, verify
it and make note of it as
we will need it again.
We can see in our ssl folder
shown on the right hand of the screen,
httpd-server.key
has been created successfully.
Now that we have created our key,
we will generate the certificate signing request
or CSR,
using the key and the pass phrase set
in the previous step.
If you require a higher or stronger signature
algorithm, add: sha-512 to the command.
Enter the command, enter the pass phrase
we created in the previous step.
Complete the various prompts that appear.
In common name, enter the fully qualified
domain name of Forcepoint Security
Manager server.
This will create httpd-server.csr
which is the certificate signing request
under the ssl directory, which
we can send to over certificate signing
authority to generate a certificate
based on our CSR.
We need to do one more thing here, which
is to create an unencrypted key
from the key we had created earlier.
We will then use this key to install
along with the certificate when we have
received the certificate from our CA.
Again, ensuring we are in our ssl
directory on the command prompt,
we run the command providing the same
pass phrase we used in previous step.
Note that this has output
server.key.unsecure in the
ssl directory.
We will now rename the
server.key.unsecure as
httpd-server.key.
To do this. I will first rename my original
httpd-server.key as .backup
so that I can rename my unsecure
key as httpd-server.key
as this is what I
will need to install with my certificate.
Before sending your CSR to your certification
authority, to generate your certificate
check that it has the correct SAN
or subject alternative names that
we specified earlier in the
openssl.cnf file.
For this we run command shown on the screen.
This opens up the CSR
and we can see under requested extensions,
we have subject alternative names
listing all our sans we added
to the openssl.cnf file.
At this stage, you can send the CSR to the
certificate signing authority, preferably
via a web interface.
The web interface can output the certificate
as a PEM Base 64 certificate.
DER certificates are incompatible
with apache httpd services.
If you cannot use a web interface, convert
the certificate from DER to
PEM Base 64 by using
openssl.
If you're using 3rd party certificate vendor,
in order to get the correct certificate type,
use apache web server as the target server.
Install the new certificate and encode the password
With the certificate generated by the signing
CA and the certificate key,
they can now be used by the Forcepoint management
infrastructure.
First I will rename my certificate sent
by the CA to httpd-server.cer
Next I will now open the
httpd folder
which has the current certificate and key
that is being used by the management server.
I will back up both my key and
the certificate to an external location.
I will now stop and disable the Websense
Triton Web server service.
Now we will copy the new
httpd-server.cer
and httpd-server.key
from ssl folder to httpd folder and override the existing files.
Next, we will back up the EIP infra
registry location.
Now we are ready to run the command which
will convert our .key to the
necessary pkcs8 format.
Note here that -inform can
be set to PEM or DER depending
on the format of the key you are converting.
Provide the password for the key and press enter.
Now verify that the new key file
has been created:
httpd-server.key.pk8
httpd-server.key.pk8
Next we will use bls.exe
to encode the password set in the key
file within the Windows registry for EIP
so that Apache can read it without
it being in plain text.
From command prompt, navigate to
apache\bin folder and then
execute the command
bls.exe encrypt [your desired password] set
We will now check our registry key for
password.
Here we need to ensure that
Apassphrase password string
is exactly the same as the
one generated by our previous
bls.exe command.
If it is not the same, you can manually
copy and paste the password in the
reg key value.
If no such key exists, create a
DWORD type key and enter the
password string as the value.
Next we will check our file,
httpd-ssl.conf
and make sure that the line showing on the screen
is commented out.
As a final check, ensure
all the files
httpd-server.cer,
httpd-server.key,
httpd-server.key.pk8
are present within the websense
httpd directory.
The certificate creating and installation
process is now complete.
Lastly we will enable and startup
our Websense Triton Web service service.
To verify that the new server certificate
has been successfully installed,
open Forcepoint Security Manager in
the browser and check your certificate
details.
This concludes our video on how to
create and install server certificate
for the Forcepoint management infrastructure.
I hope you have found this video kb useful.
Thank you for watching.
