I am new to signserver and I have to installed it using docker hub, for this I got the EJBCA ManagementCA pem file. but I am not able to access signserver admin web
Thanks in advance
To do client certificate authentication you must have install a client certificate in your web browser, i.e. like superadmin.p12 from an ejbca installation or any other CA you are using. This admin client certificate must be issued by the ManagementCA in this case.
Related
I have created an image of my TWAS application and deployed it in a container inside an openshift POD. In my TWAS ND I use to go to the admin console WebSphere environment truststore on a node on a virtual machine and set up TLS certificates so my application can have communication with external API's in the secure communication channel HTTPS. These certificates are public certificates and don't have any private keys. They are .crt and .pem files. Now I am wondering how I can set up my third-party TLS certificates for my application running inside the POD as a container? I don't want to make any code changes to my J2EE application which I have migrated from on-prem VM to Openshift.
Note: I am using TWAS base runtime here and not liberty for my newly migrated J2EE app on openshift.
When you build your application image, you can add a trusted signer and a short script into /work/ prior to configure.sh
https://www.ibm.com/docs/en/was/9.0.5?topic=tool-signercertificatecommands-command-group-admintask-object#rxml_atsignercert__cmd1
AdminTask.addSignerCertificate('[-keyStoreName NodeDefaultTrustStore -certificateAlias signer1 -certificateFilePath /work/signer.pem -base64Encoded true]')
AdminConfig.save()
The root signer might not be either the pem/crt you have, those could be the issued certificate and the signers. WebSphere allows you to setup the trust at any level, but it's ideal to trust the root CA that issued the cert.
We've also used a technique of importing a trust store into a Secret and mounting that into the expected location in the pods. This might make sense if you want to isolate any certificate changes from the app build cycle.
We're not using Kestrel, nor IIS Express. We use IIS for local development. Thus we can't find out any command of dotnet dev-certs to help us.
We can create a self-signed certificate in IIS by going into server node, then Server Certificates, then Create a self-signed certificate, and give it a name and either Personal or Web Hosting, and it's created. Then use it in binding of our site (443, https, choosing certificate and domain.local)
However, when we want to go to domain.local in Google Chrome we get that untrusted certificate warning.
We can export certificate in IIS and double click it to install it in Windows. Now the error we see in Chrome is that this certificate is created for LocalComputerName and can't be used for domain.local.
At this point we're stuck at how to specify domains (Subject Alternative Names or SAN) for self-signed certificates, and how to automate this process from command line.
Any help?
our company proxy brokes the SSL Connections and the proxy use our own CA.
So i have always tell the applications i use (RubyGems, Python Pip, Azure CLI ...) to use our company CA Certificate.
Does anyone know, how i can use our CA Certificate with a local Terraform installation?
Is the CA deployed to your OS's certificate store or can you import it? If so, Terraform (and probably other tools) should just be able to work with a proxy like this with no other configuration. If you need some further direction, tell us what operating system and how you typically access you have to the CA.
Edit:
#Kreikeneka have you have the certain the location CentOS expects to import into the store. There is a command you need to run that actually imports it update-ca-trust. Have you run this? If the cert is being used for SSL and you just need to trust it when going through your proxy, that is all you should need to do. You shouldn't need to tell your tools (Terraform, PIP, etc) to trust it for SSL with the proxy. If the cert is imported into your certificate store, it should be passively usable from any connection on from the machine from any process.
If you are using the cert for client authentication to the proxy then just trusting the cert by placing it in the certificate store probably won't work.
I'm not clear from your comments if you need the cert for SSL or for client authentication to the proxy. Check with your IT what it is really used for if you aren't sure and get back to us.
As of CentOS 6+, there is a tool for this. Per this guide,
certificates can be installed first by enabling the system shared CA
store:
update-ca-trust enable
Then placing the certificates to trust as CA's
in /etc/pki/ca-trust/source/anchors/ for high priority
(non-overridable), or /usr/share/pki/ca-trust-source/ (lower priority,
overridable), and finally updating the system store with:
update-ca-trust extract
Et voila, system tools will now trust those
certificates when making secure connections!
Source:
https://serverfault.com/questions/511812/how-does-one-install-a-custom-ca-certificate-on-centos
We do have an application(Qlik Nprinting) in Azure VM server running with an application in-built web server(not IIS). Due to port conflicts, we haven't installed IIS in the server. In order to avoid the error "There is a problem with the website security certificate" while launching the application web portal, we requested certificates team for SSL certificate. But they have provided us with .PFX file and told us to install in our server.
The certificate team has generated a CSR file from their end and created .PFX and shared it to us. When googled how to use .pfx file the steps were shown for IIS server, but in our case, we do not use IIS.
Could you please guide me on the steps how to use .pfx file in our server(which do not has IIS) to avoid the website security certificate error.
First to explain our application, its as follows...
1)We have one UBUNTU server where we are running Apache Tomcat and also RESTCOMM.
2) We have two application war files. One is the main application and another is a customized OLYMPUS Application to facilitate WebRTC calls. Now our Main application has a menu option which when clicked will load customized OLYMPUS Application into the browser and facilitates the WEBRTC for users.
3) We have tested this properly by using Self Signed Certficate and all is working well. But now we want to use CA apporved SSL Cert.
4) for this we have bout SSL CERT from GODADDY and for this the CSR was generated for Apache and then by using that CSR we downloaded the SSL CERT for Apache and configured by following the same process of how we configured Self Signed Cert.
5) Our main application is working well with the newly installed CA SSL Certificate. But when we try to load the customized OLYMPUS application we are getting the following error ...Web socket connection to ‘wss://>:/’ failed: WebSocket opening handshake was canelled.
We are able to get all working with self signed cert, but we are stuck with this problem when we use CA Approved SSL Cert from GO DADDY.
Request your suggestions pls.
Thanks in advance
Ias M
You need to configure Restcomm to use SSL Cert as well since the Websokets secure connection goes directly to Restcomm. Which method are you using for runnning Restcomm, using the zip file or the docker image ? Also which version of Restcomm are you running ?