Summary
This is the procedure for replacing the self-signed certificate provided by Catalogic Software in ECX for HTTPS connections to the ECX appliance web server.
Symptoms
A site may already have its own signed SSL certificate for encrypted communications and requires it use.
Resolution
1. Login to the appliance console as root and change to /opt/ECX/virgo/configuration
cd /opt/ECX/virgo/configuration
2. Find the alias name for the certificate entry that has an associated private key. By default the alias name is "sercer"
/usr/java/latest/bin/keytool -list -keystore ecx-keystore -storepass ecx-beta
3. Delete this entry from the keystore
/usr/java/latest/bin/keytool -delete -alias sercer -keystore ecx-keystore -storepass ecx-beta
4. Enter the command to create a new private key
openssl genrsa -des3 -out YourPrivateKeyName.key 2048
This command asks for the passphrase for the key. Enter a passphrase for the private key. For the remainder of this procedure, the ecx-keystore password is referenced to as "thesamplepasswd".
5. Generate a Certificate signing request file
openssl req -new -key YourPrivateKeyName.key -out YourCSRName.csr
You are asked some questions. Provide the correct:
- Country Name
- State
- City
- Organization Name
- Organizational Unit Name
- Common Name (give the deployed appliance's hostname)
- Email address
You can skip the challenge password and the optional company name.
6. To create a self-signed certificate, use the command below. Otherwise, send the csr to a CA to get the certificate:
openssl x509 -req -days 365 -in YourCSRName.csr -signkey YourPrivateKeyName.key -out YourCertificateName.crt
Enter your private key password (thesamplepasswd).
7. Generate a pkcs12 file using your private key and certificate
openssl pkcs12 -name YourAliasName -inkey YourPrivateKeyName.key -in YourCertificateName.crt -export -out YourPKCS12File.pkcs12
Enter your private key password (thesamplepasswd).
Enter an export password for the pkcs12 file. You must provide a password for this.
If you have a chain of certificates, because your CA is an intermediary, build the PKCS12 file as follows:
cat YourCertificateName.crt intermediate.crt [intermediate2.crt]... rootCA.crt > cert-chain.txt
openssl pkcs12 -export -inkey YourPrivateKeyName.key -in cert-chain.txt -out YourPKCS12File.pkcs12
The order of certificates must be from server to rootCA.
8. Import the pkcs12 file to the ecx-keystore
/usr/java/latest/bin/keytool -importkeystore -srckeystore YourPKCS12File.pkcs12 -srcstoretype PKCS12 -destkeystore ecx-keystore
Enter destination keystore password (thesamplepasswd).
Enter source keystore password. Provide your pkcs12 export password.
9. List the entries in ecx-keystore
/usr/java/latest/bin/keytool -list -keystore ecx-keystore -storepass thesamplepasswd
This should list the new entry we just added.
10. Edit the file /opt/ECX/virgo/bin/startup.sh
vi /opt/ECX/virgo/bin/startup.sh
In the line "export JAVA_OPTS" find the option -Dorg.eclipse.equinox.http.jetty.ssl.keypassword
Change its value to the passphrase you selected for the private key (thesamplepasswd).
11. Reboot the ECX appliance machine and then wait for few minutes until the product is up and running. Now, try to access the ECX management console using HTTPS.