Article Prerequisites
Prior to following this article, ensure that the corporate CA is used to generate an appropriately signed web certificate (for example, the Web Server Certificate template should be used). This article doesn’t cover the steps to perform this action.
This article assumes that the correct type of web server certificate has already been created and has been exported as a PFX file, including the private key. The certificate password should also be known.
Prior to attempting to implement new web server certificates, perform a backup of the Forcepoint Management Infrastructure (EIPBackup) in case a restoration is needed:For general backup information, see the Backup and Restore FAQ.
Implementing the PFX Certificate for the Forcepoint Infrastructure Web UI (EIP)
- Make a backup of the registry hive HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Websense\EIP Infra. This hive contains the string APASSPHRASE with passcodes for previous certificates.
- Make a backup of the ..\Websense\EIP Infra\apache\conf\keystore\httpd folder, which contains old certificates
- Copy the PFX file into C:\Temp and rename the file to httpd-server.pfx
- Open an administrative command prompt and navigate to ..\Websense\EIP Infra\apache\bin\
- To extract the certificate, run the following command:
- openssl pkcs12 -in C:\Temp\httpd-server.pfx -out C:\Temp\httpd-server.cer -nodes -clcerts –nokeys
- For some PFX files, the OpenSSL command does not execute with the -nokeys option. Remove it in this case and provide the password when prompted.
- To extract the private key, run the following command:
- openssl pkcs12 -in C:\Temp\httpd-server.pfx -out C:\Temp\httpd-server.key -nodes –nocerts
- Provide the PFX password
- For some PFX files, the OpenSSL command does not execute with the -nocerts option. Remove it in this case and provide the password when prompted.
- To convert the certificate into the PKCS8 format, run the following command:
- openssl pkcs8 -topk8 -in C:\Temp\httpd-server.key -out C:\Temp\httpd-server.key.pk8 -v1 PBE-SHA1-3DES -inform PEM
- Provide the PFX password, using the same or a new password for the pk8 key file.
- Stop the Websense TRITON Web Server service
- Copy the following files from C:\Temp into ..\Websense\EIP Infra\apache\conf\keystore\httpd, replacing the existing files:
- httpd-server.cer
- httpd-server.key
- httpd-server.key.pk8
- Turn the passcode into APASSPHRASE:
- bls.exe encrypt <pk8 Key Password from Step 6> set
- Open ..\Websense\EIP Infra\apache\conf\extra\httpd-ssl.conf in a text editor and comment out the following line:
- SSLCertificateChainFile conf/keystore/httpd/httpd-ca.cer
- Start the Websense TRITON Web Server service.
In case the Websense TRITON Web Server fails with Error Code 1 on start:
Error code 1 is a generic error. For more details, go to ..\Websense\EIP Infra\apache\log\ and review error.log and ssl_error.xxxx-xx-xx-xx_xx_xx.log, which should contain details about the problem. The error messages are self-explanatory.
In case a restoration of the old certificates is needed:Or:
- Copy the original certificates from the EIPBackup (DATA\apache\conf\keystore\httpd) into the original location:
- ..\Websense\EIP Infra\apache\conf\keystore\httpd
- Restore the old passcode in APASSPHRASE from the registry backup into HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Websense\EIP Infra
- Restart the Websense TRITON Web Server service.