SSL certificates and GWIA

[dchitolie]

If anyone finds this tip useful, please let me know.

thanks

Dennis

Originally Posted by dchitolie

Hi, I very recently had a similar problem...our existing 3rd party ssl external Verisign certificate expired!!!! I have'nt been able to in the past configure a 3rd party ssl certificate into our current Groupwise 7 system due to lots of various methods of doing this task....i got quite confused and if you do not do things in the correct order the whole process will need to ber started over again. Ive managed to eventually cracked it and figure out a simple and more structured approach to setting this up. The following was in relation to applying the 3rd party external certificate to WEBACCESS This was the steps i took: Firstly ensure you have the registered details you completed already with your 3rd party SSL supplier, they should have provided you with a: OU O L S C the CN is the webaddress or DNS name your users will hit to access your secured page - we will add this later. 1) Highlight the container where your server is located which will be the host application part of the webaccess that the ssl is assigned to. (my setup is, i have my main grpwise system in one tree, my application - webaccess component in a separate tree) - we need to re-create the SSL object in the second tree or the container where the application component is located. 2) Right-click to create an object > from the list choose > NDSPKI:Key Material. 3) Give a name for the certificate name object > then select the second option > Custom. (This will allow you to enter more specific information relating to the 3rd party ssl certificate) 4) The next screen select "External Certificate authority" - this would be your 3rd party ssl. Click next 5) Next screen asks for the Key size, accept the default value of "2048 bits" > tick "Allow private key to be exported", click next. 6) Next screen asks for the Certificate Parameters, depending on the order of your, CN, OU,O,L,S,C I clicked the edit button and then clicked the small arrow icon to switch the SSL URL around so that my .cn=webserver url address will be read first then the - OU,O,L,S,C. (PLEASE NOTE: The (OU,O,L,S,C) should be identical to what was initially registered with your 3rd party SSL supplier. 7)Once you are happy with the details click "Finish". 8) You will immediately be asked where to save the "b64" file that will be generated which will be sent off to your 3rd party supplier for re-minting. choose a file name - ensure no hyphens,or special characters etc are used and keep to the 8.3 naming length just to avoid any long name issues, i do believe that by adding a hyphen may cause problems as the system automatically puts a hyphen to separate the names automatically hence that is why its advised not to use this. I saved my file to root of my c:\ 9)Once this has been done and you click save, send the file off to your 3rd party SSL supplier, they will re-mint the "b64" file and you should get back 2 files: a)file.cer b)Intermediate.cer (filenames could be anything) 10) Select the "KMO object" you created earlier in step 2, then goto the Certificate tab > Trusted Root certificate" tab to import the Intermediate.csr file sent to you. Select import > then read from file and browse for the "Intermediate.csr" file - i chose root of my c:\ to save the re-minted 2 files sent back to me. Select the Intermediate file, you should see some encrypted characters show in the blank screen, then select Ok or finish. If you see a pop up window stating " Subject name mismatch error" dont worry this is merely a cosmetic issue due to the details not being in the exact naming order, it has been IMPORTED!! Click OK. Once you have done this you should see your first key pair file imported, check the subject name, Issuer name, effect date, expiration date, certificate status details, these should all show the 3rd party certificate details. Then next part is to import the second key pair file. Click Certificate>Public Key Certificate tab > import. Select to read from file> then browse for the file.csr You should see the encrypted characters, then select ok or finish. Now you have competed the difficult part you now need to tell you application what SSL object to point to in order to use the SSL encryption. For webaccess, you have to edit the apache conf files and enter the name of the SSL/KMO object you created earler. 11) Goto your application server that will use the ssl, then browse to: server\sys\apache2\conf edit a file called "httpd.conf" then amend or add the section: SecureListen 443 "Verisign" Save theses changes - then shut down your web services on the server, apache, etc. ie, type : Apache shutdown commands: ap2webdn tc4stop admsrvdn Apache load commands: apache2 ap2webup tc4stop admsrvup wait a minute or so so that the services can be unloaded. If you think its safer to do so, you can restart the server - that way you know for sure that everything has been unloaded and re-loaded cleanly. ALL done. SSL now in operation and working. I carried out this method - my own steps and this worked for me. Good luck!!! Dennis