When installing SSMC by default it comes with a self-signed browser certificate. A self-signed certificate not only is unsecure, most of the browsers indicate a warning when using it. It is important to understand that there are 3 types of certificates which can be used on the SSMC appliances:
- A browser SSL certificate
- An array certificate and
- 2FA certificate
In this article we will cover the steps to replace a self-signed certificate by a custom CA-signed SSL certificate. It is also highly recommended to perform a backup or take a snapshot/checkpoint of your StoreServ Management Console (SSMC) appliance before making any changes.
Creating the Keystore and the Certificate Signing Request
- Log in to your SSMC appliance as ssmcadmin and hit Esc-key to exit the TUI menu.
- First copy the keystore file where the certificate keys are stored. The file is found under /opt/hpe/ssmc/ssmcbase/etc but as we don’t have access to create new files with ssmcadmin, we’ll copy this keystore to the home directory:
cp /opt/hpe/ssmc/ssmcbase/etc/keystore /home/ssmcadmin/keystore.orig
- Then use the keytool to create a new public and private key pair in a new keystore file. Keytool is found under: /opt/hpe/ssmc/ssmcbase/fips/jre/bin/
keytool -genkeypair -keystore keystore -alias jetty -keyalg RSA
At the prompt, set a keystore password and make sure to write it down ;).
- Next, enter the certificate information gathered as part of the prerequisites. Make sure to complete it correctly. The output looks similar to the following:
CN=<FQDN.com>, OU=<unit_name>, O=<company_name>, L=<city>, ST=<state>, C=<country>
Verify that user entered the security information correctly. Enter Yes to continue or No to edit theinformation provided
- At the prompt, enter a new password for the keystore, or press Enter to use the existing keystore password.
- Generate a certificate signing request (CSR):
keytool -certreq -keystore keystore -alias jetty -file <certificate.request.txt>
- Copy the file or the content of the file and have the CSR signed by your company Certificate Authority.
Installing the new SSMC Custom Certificate
- Copy the CA-signed SSL certificate to /opt/hpe/ssmc/ssmcbase/etc
- Examine the certificates to verify that the keytool utility can read them. This ensures that they have the correct format (PEM) before adding them to the keystore.
keystore/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -printcert -v -file <filename>
- Accordingly copy the CA root certificate, the intermediate certificate (if it does exist), and the CA-signed machine certificate inside the keystore. Add all certificates to the same keystore in this order:
1) The CA root certificate (alias is root and not jetty):
/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -alias root -keystore keystore -trustcacerts -file <RootCA.cer>
2) Any intermediate certificates (same preceding command but without –alias):
/opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -keystore keystore -trustcacerts -file <IntermediateCA.cer>
3) The CA signed certificate (alias is jetty):
opt/hpe/ssmc/ssmcbase/fips/jre/bin/keytool -import -alias jetty -keystore keystore -trustcacerts -file <SignedByCA.cer>
- Update the jetty-ssl-context.xml in /opt/hpe/ssmc/ssmcbase/etc/ file with the passwords used by the new keystore
– If you have changed the default password for the keystore, update theKeyStorePassword entry to reflect the new password (indicated as KeyStorePassword).
– If you have changed the password for the private key inside the keystore, update theKeyManagerPassword to reflect the new password (indicated as KeyManagerPassword)
To obfuscate the password use the following command: /opt/hpe/ssmc/jre/bin/java -cp /opt/hpe/ssmc/jetty/lib/jetty-util-9.4.6.v20170531.jar org.eclipse.jetty.util.security.Password <password>
- At this point you have completed the replacement of the new SSL certificate. All you need to do is restart the SSMC appliance to reflect the custom SSMC certificate.
- Call the TUI (user interface) by entering config_appliance
- Option 2 will reboot the SSMC appliance.
- Finally, navigate to your SSMC portal and the browser should reflect the new (CA-Signed) SSL Certificate.
Any suggestion or question? Leave a reply below, or feel free to contact us. Also make sure to subscribe to our mailing list to get the latest updates.