Environment
Filr 4
DigiCert
Situation
The Filr administrator wants to import a DigiCert wildcard certificate.
Resolution
Method 1
Assuming:
- You have already downloaded the certificate from DigiCert and
- You are naming the certificate "filr-cert"
Follow these steps:
1. In the port 9443 Console of the Filr appliance, begin by clicking the "Digital Certificates" tile.
2. Click File > Import > Trusted Certificate
3. Browse and select the DigiCert certificate "CACertificate-ROOT-3.cer". Import the Trusted Certificate.
4. You will be prompted to "Please restart server for certificate to take effect." Do not reboot at this time.
5. Click File > Import > Trusted Certificate
6. Browse to and select the existing certificate CACertificate-INTERMEDIATE-1.cer. Import the Trusted Certificate.
7. You will be prompted to "Please restart server for certificate to take effect." Do not reboot at this time.
8. Click File > Import > Trusted Certificate
9. Browse to and select the existing certificate CACertificate-INTERMEDIATE-2.cer. Import the Trusted Certificate.
10. You will be prompted to "Please restart server for certificate to take effect." Do not reboot at this time.
11. In the list of Digital Certificates, highlight the certificate used to create the CSR (filr-cert, in this example).
12. Click File > Certification Request > Import CA Reply
13. Browse to and select ServerCertificate.cer
14. You will be prompted to "Please restart server for certificate to take effect." Do not reboot at this time.
15. Optionally, view info on the Key Pair. You should see entries, including the "DigiCert Global Root CA" with "Subject", "Issuer", "Serial Number", "Valid From" and "Valid To".
16. With the "Key Pair" entry for the certificate you are installing (filr-cert) hightlighted, click "Update Certificate Chain". Answer "Yes" when prompted to update the trust chain.
17. An alert will popup: "Note: Services which use the active certificate must be restarted before the change will take effect."
18. Reboot the Filr appliance.
19. After the appliance has finished rebooting, open the port 9443 Console and login as vaadmin. (Hint: Setting your browser to "Incognito" mode is a good way to test newly imported certificates, as it does not use the previously cached certificate.)
20. Verify the browser is using the new certificate by clicking the lock icon next to the address field in the title bar. This may require clearing the browser's cache.
2. Click File > Import > Trusted Certificate
3. Browse and select the DigiCert certificate "CACertificate-ROOT-3.cer". Import the Trusted Certificate.
4. You will be prompted to "Please restart server for certificate to take effect." Do not reboot at this time.
5. Click File > Import > Trusted Certificate
6. Browse to and select the existing certificate CACertificate-INTERMEDIATE-1.cer. Import the Trusted Certificate.
7. You will be prompted to "Please restart server for certificate to take effect." Do not reboot at this time.
8. Click File > Import > Trusted Certificate
9. Browse to and select the existing certificate CACertificate-INTERMEDIATE-2.cer. Import the Trusted Certificate.
10. You will be prompted to "Please restart server for certificate to take effect." Do not reboot at this time.
11. In the list of Digital Certificates, highlight the certificate used to create the CSR (filr-cert, in this example).
12. Click File > Certification Request > Import CA Reply
13. Browse to and select ServerCertificate.cer
14. You will be prompted to "Please restart server for certificate to take effect." Do not reboot at this time.
15. Optionally, view info on the Key Pair. You should see entries, including the "DigiCert Global Root CA" with "Subject", "Issuer", "Serial Number", "Valid From" and "Valid To".
16. With the "Key Pair" entry for the certificate you are installing (filr-cert) hightlighted, click "Update Certificate Chain". Answer "Yes" when prompted to update the trust chain.
17. An alert will popup: "Note: Services which use the active certificate must be restarted before the change will take effect."
18. Reboot the Filr appliance.
19. After the appliance has finished rebooting, open the port 9443 Console and login as vaadmin. (Hint: Setting your browser to "Incognito" mode is a good way to test newly imported certificates, as it does not use the previously cached certificate.)
20. Verify the browser is using the new certificate by clicking the lock icon next to the address field in the title bar. This may require clearing the browser's cache.
Method 2
Combine the two crt files into a p12 file using an openssl command.
1. Open an SSH (putty, etc) session to the Filr server.
2. Navigate to /vastorage/conf/certs
3. Generate a CSR using the command:
openssl req -new -key vaserver.key -out filrCSR.csr
4. When prompted, complete the fields for
- Country Code
- State or Provice Name
- Organization Name
- Common Name
You will be prompted for "extra" attributes to be sent with your certificate request. Note that generating the CSR can be done through the port 9443 console, but when installing a wild card certificate on another host, the CSR already exists. In this case, continue by providing:
- A challenge password
5. Display the CSR file using the "less" command: "less filrCSR.csr"
6. Highlight the entire contents of the file, from "-----BEGIN CERTIFICATE REQUEST-----" through "----- END CERTIFICATE REQUEST-----" and copy to the Windows clipboard.
7. Paste the CSR contents to the web page of the certificate authority (DigiCert, etc.).
8. Ensure that "Tomcat" is the server platform selected.
9. Confirm the request/order.
10. Under "Certificate Details" > "Download Certificate As", select "More Options" and the file type of "Separate primary and intermediate .crt files (zipped)".
11. Download the files, and unzip the .crt files
12. Copy the two unzipped Security Certificate files (intermediary certificate and certificate) to the Filr appliance
13. At a terminal prompt, execute this command:
openssl pkcs12 -export -inkey vaserver.key -in <intermediaryCert>.crt -certfile <CAcertFilr>.crt -out <outputP12file>.p12
e.g. openssl pkcs12 -export -inkey vaserver.key -in micro_focus.crt -certfile DigiCertCA.crt -out final_result.p12
14. When prompted, provide a password.
15. Copy the .p12 file to the Windows workstation
16. At the port 9443 console > Digital Certificates page, click File > Import > Key Pair. Give an alias name, and enter the password.
17. You will be prompted to "Please restart server for certificate to take effect." Do not reboot at this time.
18. Highlight the new certificate and click the "Set as Active" button.
19. An alert will popup: "Note: Services which use the active certificate must be restarted before the change will take effect."
20. Highlight the new certificate and click the "View Info" button to verify the certificate information is correct.
21. Reboot the Filr appliance.
22. After the appliance has finished rebooting, open the port 9443 Console and login as vaadmin. (Hint: Setting your browser to "Incognito" mode is a good way to test newly imported certificates, as it does not use the previously cached certificate.)
23. Verify the browser is using the new certificate by clicking the lock icon next to the address field in the title bar. This may require clearing the browser's cache.
Additional Information
These steps are generalized from a specific instance, and may need to be adapted to fit your specific needs.