Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2123
Views
1
Helpful
6
Replies

Wildcart certs for UCSD appliance?

Go to solution
snoopj123
Level 4
Level 4

‎05-13-2015 02:35 PM - edited ‎03-01-2019 06:22 AM

Been trying to find the answer to this for a while now, but haven't been able to get anywhere with it.

We have a wildcart SSL certificate that we tend to use around here and I was wondering if the UCSD Tomcat service, along with the VNC service are able to use a wildcard certificate?

The documentation about adding certificates doesn't mention anything specific about wildcard certs, although, I haven't really had a chance to test this in the lab either (other things taking higher priority).

Anyone know?

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
snoopj123
Level 4
Level 4
In response to amerzec2015

‎06-24-2015 07:52 PM

I took my PEM file (which worked out great for the VNC service).

I then followed this website -> Convert your wildcard SSL to JKS (Java Keystore) Format | Sononaco

Ended up being pretty easy to create the JKS file and then import the certificate without an issue.  I did have a LOT of problems creating the JKS file without following those steps in that website.

--j

View solution in original post

0 Helpful
6 Replies 6

Go to solution
snoopj123
Level 4
Level 4

‎05-29-2015 07:12 PM

I've found you can do use wildcard certificates.  Since the main web component is Tomcat, I was able to find some instructions on how to setup wildcard certs with Tomcat and apply them to the UCSD appliance.

--j

0 Helpful

Go to solution
amerzec2015
Level 1
Level 1
In response to snoopj123

‎06-24-2015 01:37 PM

Hi,

I am trying to install SSL certificates on the appliance for the HTTPS access. Initially I tried option 13) on the appliance, however the certificate wasn't showing up on the web after restarting all UCSD services. This was my attempt with PEM file.


After WebEx with CISCO support, I was advised to try JKS file. I got message saying "Certificate imported successfuly" with additional log about changes in Tomcat server.xml file. However, when I hit my website for UCSD with HTTPS, now it won't even load with default certificate...

Any help is appreciated if you did it - no matter if your certificate is with wildcard or not....

P.S. The documentation about SSL certificate importing is very bad.

Kind Regards

0 Helpful

Go to solution
snoopj123
Level 4
Level 4
In response to amerzec2015

‎06-24-2015 07:52 PM

I took my PEM file (which worked out great for the VNC service).

I then followed this website -> Convert your wildcard SSL to JKS (Java Keystore) Format | Sononaco

Ended up being pretty easy to create the JKS file and then import the certificate without an issue.  I did have a LOT of problems creating the JKS file without following those steps in that website.

--j

0 Helpful

Go to solution
snoopj123
Level 4
Level 4
In response to snoopj123

‎06-24-2015 08:00 PM

In the website, the key was the conversion of the PEM file using openssl and turning into PKCS12 format.  Each time I tried any other conversion without running openssl, tomcat would never launch on port 443.

--j

0 Helpful

Go to solution
amerzec2015
Level 1
Level 1
In response to snoopj123

‎06-24-2015 11:26 PM

Hi,

Thanks for the directions. Finally I did it...

This is the guideline missing in the docs:

1.       Option 12 on the Shell Menu is the right one – „Import CA Cert (JKS) File“

2.       One needs to have following:

    • signed certificate file  < myservercert >.crt (in PEM format
    • intermetiate certificates file < intcacerts >.crt (in PEM format)
    • private key file < private >.key (in PEM format)

3.      To be able to import JKS to Tomcat, one needs to generate PKCS12 format certificate first. This is the command:
        openssl pkcs12 -export -in <myservercert>.crt -inkey <private>.key -certfile <intcacerts>.crt -name „<aFriendlyName>“ -out <keyandcerts>.p12

4.       P12 file which was generated in step 3. needs to be converted in Java Key Store (JKS) file. This is the command:

   /opt/bin/jre/bin/keytool -importkeystore -srckeystore <keyandcerts>.p12 -srcstoretype PKCS12 -destkeystore <myserverJKS>.jks

5.      JKS file which was generated in step 4. needs to be imported to the keystore where Tomcat application server can find it when it deploys application. This is done through option 12) -„Import CA Cert (JKS) File“ on the Shell Menu. What this internally does is download of the JKS file, and moves it to the Tomcat-local keystore. This keystore is on this path:
      /opt/infra/web_cloudmgr/apache-tomcat/keystore/

After that, appliance backs up old server.xml descriptor file and creates new one under path:
  /opt/infra/web_cloudmgr/apache-tomcat/conf/server.xml

6.       Done !!!

Kind Regards

0 Helpful

Go to solution
snoopj123
Level 4
Level 4
In response to amerzec2015

‎06-26-2015 02:15 PM

Good to hear the article came in handy to solve the problem.  I did have some conversation with some of the UCSD team (through e-mail, after I posed the question to them on whether we could use wildcard certs) and they mentioned something about providing better instructions and more options (like being able to create the PEM file, rather than assuming you have it already created before starting the process).

Let's hope in future versions they resolve some of these idiosyncrasies with certificate import.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Cisco UCS X-Series Energy Efficiency Offer