Solved

Expired SSL Certificate for Informer server

Posted on 2014-02-28
8
585 Views
Last Modified: 2014-03-06
I can't seem to find any help anywhere. I believe I have an Apache sever running Informer 4.1. The certificate has expired without warning and the group that set this up is no longer available. The limited informer instructions I have keep saying "a Java Keystore (JKS) file built off the SSL certificate that is NOT A SELF SIGNED CERTIFICATE that matches that FQDN (Fully Qualified Domain Name), or a wildcard certificate for your domain for the server Informer is installed on. This Javakeystore file derived from the SSL certificate.
IT IS NOT THE KEYSTORE FILE ITSELF, many companies have made that assumption and it is a mistake. When you contact your SSL Certificate Authority from which you obtained your SSL Certificate for assistance and tell them you need assistance to create a JKS format and that it can’t be self-signed.

You will have to edit the 'informer.properties' file in the Informer install path on the Informer server. Usually it’s in the path 'c:\\Program Files\Entrinsik\Informer4' but this could be different for your installation.  
Near the bottom of this file, you will see the following lines:
informer.ssl.keystore=[Drive-Letter]:\\path\\to\\keystore\\file.jks
informer.ssl.password='{password}'"

I've been stumbling around for days trying to find out how to create a .jks file. The original developers have this entry in the file informer.ssl.keystore=C:\\Downloads\\OpenSSL\\bin\\keystore . There is a line in the instructions that specifically says not to do this and when I mentioned this to my Informer support, he indicated that this is incorrect.

What I finally tried was to generate a new key by using "openssl req -new -newkey rsa:2048 -nodes -keyout informer.{company}.com.key –out informer.{company}.com.csr –config openssl.cnf"

I sent that up to GoDaddy, created the CRT request,  and downloaded it using the format for Apache. Please note there is no way to download the .jks file. I've asked like 3 different representatives who have no idea what I'j

Now I don't know what to do with it. I looked around and there are some instructions that say you need to modify the httpd.config file. Did a search on the server and there isn't one. Do I need to import the 3 .crt files back in? If so how? And how do I create a .jks?

Any help with be greatly appreciated.
0
Comment
Question by:paynster
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39895724
Ok so if I am reading you correctly you need to create a jks file all the other aspects of this work (adding the new cert to Apache is complete).
Then proceed to follow the steps outlined here:
https://blogs.oracle.com/blogbypuneeth/entry/steps_to_create_a_jks

Steps 1 - 3 should cover this for you.

You need to get a copy of the public key crt that you can open in a text editor:
should look like:
—–BEGIN CERTIFICATE—–
MIIFMD................
..............NHQ7Xf
—–END CERTIFICATE—–

Also a pem file of the private key is required you should be able to do both with openssl commands as well.

If you want to extract private key from a pfx file and write it to PEM file
>>openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem
If you want to extract the certificate file (the signed public key) from the pfx file
>>openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem
To remove the password from the private key file.
>> openssl.exe rsa -in privateKey.pem -out private.pem

Reprinted from:
http://sycure.wordpress.com/2008/05/15/tips-using-openssl-to-extract-private-key-pem-file-from-pfx-personal-information-exchange/
0
 

Author Comment

by:paynster
ID: 39895785
Thank you so much for posting. I'm not sure all aspects are complete.

I have generated the certificate  using the OpenSSL comand mentioned above, requested a certificate, and downloaded the new one from GoDaddy. However, I have not done anything with the two .crt files included in my download from GoDaddyincluding updating Apache.

I assumed that there was some OpenSSL command that I had to use to put them back in - similar to what I did to get them out. And then some command to make a .jks file for the informer.properties file.

Do I need to import these .crt files back in? I'm assuming I use your instructions to make the .jks but which .crt file do you use to do that?
0
 
LVL 29

Expert Comment

by:becraig
ID: 39895877
Ok so first step:
You should be able to import the cert to the server you requested from, so you should go ahead and import the cert from Godaddy (Accept the response to the request)

Then export a p12 file with the keypair
(You should be able to get help exporting your new cert to pfx / pkcs12 from your cert provider or your informer support).

Here is a list of steps on how to export to various formats using openssl:
https://twiki.cern.ch/twiki/bin/view/LinuxSupport/OpenSSLCheatsheet

As for which files to use for the jks, if you follow the instructions on the link I gave you, you will see that you need to have 2 pem files.
One being the public key which you can export with the command:
openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem


The next one being the private key which you get with the following command:
>>openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem


Once you have both of those you can create your jks.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:paynster
ID: 39896131
Ok I'm sorry. I really not familiar this process at all. I have the certificated that I downloaded from GoDaddy but I have not installed it to Apache and I'm not clear how to do that.

I think once that is done, I can then use your  export a p12 file with the keypair instructions to generage a .jks file. Is that correct. Can you provide instructions on how to get the two. crt files back into Apache? Thanks.
0
 
LVL 29

Expert Comment

by:becraig
ID: 39896171
0
 

Author Comment

by:paynster
ID: 39896181
Hi,

Yes, GoDaddy gave me these directions as well. The issue is that I can't find the httpd.conf or ssl.conf files mentioned below. Do you know where these files should be?

"Locate the following directives in either your httpd.conf or ssl.conf file (which files you use depends on how you configured Apache). If one or more of them are currently commented out, uncomment them by removing the # character from the beginning of the line. Set the values of these directives to the absolute path and filename of the appropriate file: •SSLCertificateFile /path/to/your/certificate/file
•SSLCertificateKeyFile /path/to/your/key/file
•SSLCertificateChainFile /path/to/intermediate/bundle/file"
0
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 39896194
I do not know your server config but possibly

/etc/apachexx/  might be a good place to look

You can just do a find to be sure where:
$ find / -name '*.conf'
0
 

Author Closing Comment

by:paynster
ID: 39910252
Thank you for your help. I'll give this all a try and if I'm still having issues, I'll repost my question.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Developer tools in browsers have been around for a while, yet they are still heavily underused by developers. Developers still fix html or CSS then refresh page to see effect, or they put alert or debugger in JavaScript and then try again and again …
A publishing tool, a Version Control System, or a Collaboration Platform! These can be some of the defining words for the two very famous web-hosting Git repositories: Bitbucket and Github. Git is widely used amongst the programmers and developers f…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question