KB0014261: How to Create and Install a commercial certificate for Authentication Server WebAdmin


Summary

By default, the OneSpan Authentication Server (OAS) webadmin is installed with a self-signed certificate.
The browser will produce an error and ask you if you want to trust this certificate.
By installing a commercial certificate (that is trusted by the built-in root certificates of the browsers) this error will not be displayed anymore.

This article explains in more detail the procedures of the Administrator Guide for installing a commercial certificate for the webadmin.


Details.

To install a commercial certificate for the webadmin, the following steps are needed:
- Create a private key and a Certificate Signing Request (CSR)
- Let a commercial Certificate Authority sign the CSR
- Use the private key and the signed certificates to create a new PEM file
- Convert the PEM file into a .P12 file and import the file into a Java Keystore (using the same password as used for the private key) OR alternatively use the .P12 file as the keystore - Edit the server.xml file from tomcat to point to the new Java Keystore/.P12 Keystore with the new password.
- Restart the Vasco Webadmin service


Problem Solution.

Create a private key and a Certificate Signing Request (CSR)

Open a DOS window and browse to the bin directory of the OAS installation.

Set OPENSSL_CONF=openssl.cnf

Then use the command as explaind in the administrator guide:
openssl req -out ikey_tomcat_new.csr -new -newkey rsa:2048 -keyout ikey_tomcat_new.key

   KB_150190_Page_2_Image_0002

This will create two new files: ikey_tomcat_new.csr and ikey_tomcat_new.key

Let a commercial Certificate Authority sign the CSR

The .CSR file must be sent to the commercial CA to for signing.

From the commercial CA you will get the signed certificate (and maybe the root CA certificate.)

Ensure you have the certificates you want to use, in .pem format. If you received them in another format, convert them first.
Below are some commands that will help with the conversion:

Convert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM:
openssl pkcs12 -in keyStore.pfx -out keyStore.pem –nodes

Sometimes an intermediate certificate signs the certificate. To see the certification path you can use the following procedure (on a windows computer): make a copy of the .pem file and change the extension from .pem to .cer.

KB_150190_Page_2_Image_0003

Now you can double click on the .cer file and see the properties:
   KB_150190_Page_3_Image_0002

As you can see in this example, an intermediate certificate signs the certificate.

From the commercial CA, get the root certificate and (all) the intermediate certificate(s) (They also need to be in PEM format)
A root certificate is self-signed, there should only be one certificate in the certification path.

Use the private key and the signed certificates to create a new PEM file
Using a text editor, create a blank file e.g. new_webadmin_cert.pem
Add the following contents in this exact order to this “new_webadmin_cert.pem”. To do so, you can copy/paste the appropriate sections from PEM formatted files.

1. Private key matching the server certificate
2. Server certificate (for the OAS web administration site)
3. Certificate of the intermediate CA (that signed the server certificate)
4. … eventually the certificate(s) of any additional intermediate CA used in the chain …
5. Certificate of the root CA certificate

In the end, the content of this “new_webadmin_cert.pem” file should look like:

-----BEGIN ENCRYPTED PRIVATE KEY----- (data omitted for readability).... -----END ENCRYPTED PRIVATE KEY-----

-----BEGIN CERTIFICATE----- (Server certificate data omitted for readability)... -----END CERTIFICATE-----

-----BEGIN CERTIFICATE----- (signer of the Server certificate, data omitted for readability)… -----END CERTIFICATE-----

In case there are multiple subordinate CA’s, paste their certificates here in hierarchical order (low to high) just as you would for the previous one.

-----BEGIN CERTIFICATE----- (ROOT CA certificate data omitted for readability)... -----END CERTIFICATE-----

Convert the PEM file in a .P12 file 

Open a DOS window and browse to the bin directory of the OAS installation.

See that the file “new_webadmin_cert.pem” created in the previous step is moved to the bin directory of the OAS installation (to prevent the need of using paths in the commands)

Use:

Set OPENSSL_CONF=openssl.cnf

Openssl

pkcs12 -export -in new_webadmin_cert.pem -passin pass:Test1234 –out new_tomcat_cert.p12 -passout pass:Test1234 -name ias-tomcat

Where:

-passin pass:Test1234 => Replace Test1234 with the password protecting the private key in the PEM file

-passout pass:Test1234 => Replace Test1234 with the password protecting the private key in the p12 file

   KB_150190_Page_4_Image_0002

After these commands the file new_tomcat_cert.p12 is created.

Alternatively you can skip the next step of converting the .P12 into a Java Keystore and place the "new_tomcat_cert.p12" in the conf directory of tomcat.

 

Import the file in a Java Keystore (using the same password as used for the private key)

Note that keytool comes delivered together with Java. Browse to the bin directory of the JRE within the OAS Web Administration installation directory.

   KB_150190_Page_5_Image_0002

Move the new_tomcat_cert.p12 to the same directory (to prevent the need of using paths in the commands)

Use:

keytool -importkeystore -deststorepass Test1234 -destkeystore new_keystore.jks –srckeystore new_tomcat_cert.p12 -srcstoretype PKCS12 -srcstorepass Test1234

Where you replace Test1234 with the password protecting the private key in the p12 file

   KB_150190_Page_5_Image_0003

Important Remark: There is a caveat over here: ensure that the password used to protect the Java keystore is the same as the password used to protect the private key.

The result of this step is a new java keystore file with the certificate in.
   KB_150190_Page_5_Image_0004

 

Edit the server.xml file from tomcat to point to the new Java Keystore with the new password.

Move the new java keystore file to the conf directory of tomcat:
   KB_150190_Page_6_Image_0002

 

Or alternatively move the "new_tomcat_cert.p12" file in the conf directory of tomcat

New .P12 Keystore & Old Java Keystore

 

Edit the server.xml file:

Change:
   KB_150190_Page_6_Image_0003

Into:
   KB_150190_Page_6_Image_0004

Or if you're using the .P12 file:

Server.xml keystoreFile location & keystorePass name

Where you replace Test1234 with the password protecting the keystore/.P12 file. 



Restart the Webadmin service

   KB_150190_Page_7_Image_0002

Normally the root CA will be in the trusted Root CA’s of your Browser (unless you have an old version of the browser).
The browser will not generate an error on the certificate any more.



_________________________________________________________________________________________________________________

Security Status: External

Document type: How To 

Applies to: Authentication Server 

Old KB Reference: 150190