Solved

Expired SSL Certificate for Informer server

Posted on 2014-02-28
8
556 Views
Last Modified: 2014-03-06
I can't seem to find any help anywhere. I believe I have an Apache sever running Informer 4.1. The certificate has expired without warning and the group that set this up is no longer available. The limited informer instructions I have keep saying "a Java Keystore (JKS) file built off the SSL certificate that is NOT A SELF SIGNED CERTIFICATE that matches that FQDN (Fully Qualified Domain Name), or a wildcard certificate for your domain for the server Informer is installed on. This Javakeystore file derived from the SSL certificate.
IT IS NOT THE KEYSTORE FILE ITSELF, many companies have made that assumption and it is a mistake. When you contact your SSL Certificate Authority from which you obtained your SSL Certificate for assistance and tell them you need assistance to create a JKS format and that it can’t be self-signed.

You will have to edit the 'informer.properties' file in the Informer install path on the Informer server. Usually it’s in the path 'c:\\Program Files\Entrinsik\Informer4' but this could be different for your installation.  
Near the bottom of this file, you will see the following lines:
informer.ssl.keystore=[Drive-Letter]:\\path\\to\\keystore\\file.jks
informer.ssl.password='{password}'"

I've been stumbling around for days trying to find out how to create a .jks file. The original developers have this entry in the file informer.ssl.keystore=C:\\Downloads\\OpenSSL\\bin\\keystore . There is a line in the instructions that specifically says not to do this and when I mentioned this to my Informer support, he indicated that this is incorrect.

What I finally tried was to generate a new key by using "openssl req -new -newkey rsa:2048 -nodes -keyout informer.{company}.com.key –out informer.{company}.com.csr –config openssl.cnf"

I sent that up to GoDaddy, created the CRT request,  and downloaded it using the format for Apache. Please note there is no way to download the .jks file. I've asked like 3 different representatives who have no idea what I'j

Now I don't know what to do with it. I looked around and there are some instructions that say you need to modify the httpd.config file. Did a search on the server and there isn't one. Do I need to import the 3 .crt files back in? If so how? And how do I create a .jks?

Any help with be greatly appreciated.
0
Comment
Question by:paynster
  • 4
  • 4
8 Comments
 
LVL 28

Expert Comment

by:becraig
ID: 39895724
Ok so if I am reading you correctly you need to create a jks file all the other aspects of this work (adding the new cert to Apache is complete).
Then proceed to follow the steps outlined here:
https://blogs.oracle.com/blogbypuneeth/entry/steps_to_create_a_jks

Steps 1 - 3 should cover this for you.

You need to get a copy of the public key crt that you can open in a text editor:
should look like:
—–BEGIN CERTIFICATE—–
MIIFMD................
..............NHQ7Xf
—–END CERTIFICATE—–

Also a pem file of the private key is required you should be able to do both with openssl commands as well.

If you want to extract private key from a pfx file and write it to PEM file
>>openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem
If you want to extract the certificate file (the signed public key) from the pfx file
>>openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem
To remove the password from the private key file.
>> openssl.exe rsa -in privateKey.pem -out private.pem

Reprinted from:
http://sycure.wordpress.com/2008/05/15/tips-using-openssl-to-extract-private-key-pem-file-from-pfx-personal-information-exchange/
0
 

Author Comment

by:paynster
ID: 39895785
Thank you so much for posting. I'm not sure all aspects are complete.

I have generated the certificate  using the OpenSSL comand mentioned above, requested a certificate, and downloaded the new one from GoDaddy. However, I have not done anything with the two .crt files included in my download from GoDaddyincluding updating Apache.

I assumed that there was some OpenSSL command that I had to use to put them back in - similar to what I did to get them out. And then some command to make a .jks file for the informer.properties file.

Do I need to import these .crt files back in? I'm assuming I use your instructions to make the .jks but which .crt file do you use to do that?
0
 
LVL 28

Expert Comment

by:becraig
ID: 39895877
Ok so first step:
You should be able to import the cert to the server you requested from, so you should go ahead and import the cert from Godaddy (Accept the response to the request)

Then export a p12 file with the keypair
(You should be able to get help exporting your new cert to pfx / pkcs12 from your cert provider or your informer support).

Here is a list of steps on how to export to various formats using openssl:
https://twiki.cern.ch/twiki/bin/view/LinuxSupport/OpenSSLCheatsheet

As for which files to use for the jks, if you follow the instructions on the link I gave you, you will see that you need to have 2 pem files.
One being the public key which you can export with the command:
openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem


The next one being the private key which you get with the following command:
>>openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem


Once you have both of those you can create your jks.
0
 

Author Comment

by:paynster
ID: 39896131
Ok I'm sorry. I really not familiar this process at all. I have the certificated that I downloaded from GoDaddy but I have not installed it to Apache and I'm not clear how to do that.

I think once that is done, I can then use your  export a p12 file with the keypair instructions to generage a .jks file. Is that correct. Can you provide instructions on how to get the two. crt files back into Apache? Thanks.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 28

Expert Comment

by:becraig
ID: 39896171
0
 

Author Comment

by:paynster
ID: 39896181
Hi,

Yes, GoDaddy gave me these directions as well. The issue is that I can't find the httpd.conf or ssl.conf files mentioned below. Do you know where these files should be?

"Locate the following directives in either your httpd.conf or ssl.conf file (which files you use depends on how you configured Apache). If one or more of them are currently commented out, uncomment them by removing the # character from the beginning of the line. Set the values of these directives to the absolute path and filename of the appropriate file: •SSLCertificateFile /path/to/your/certificate/file
•SSLCertificateKeyFile /path/to/your/key/file
•SSLCertificateChainFile /path/to/intermediate/bundle/file"
0
 
LVL 28

Accepted Solution

by:
becraig earned 500 total points
ID: 39896194
I do not know your server config but possibly

/etc/apachexx/  might be a good place to look

You can just do a find to be sure where:
$ find / -name '*.conf'
0
 

Author Closing Comment

by:paynster
ID: 39910252
Thank you for your help. I'll give this all a try and if I'm still having issues, I'll repost my question.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Developer tools in browsers have been around for a while, yet they are still heavily underused by developers. Developers still fix html or CSS then refresh page to see effect, or they put alert or debugger in JavaScript and then try again and again …
The task of choosing a web design company to build a website for your business should never be taken in a light manner. Provided the fact that your website will act as a representative to your business and will be responsible for imposing an online …
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now