Uploading a PFX or P12 Certificate

***This article is for Access Manager 1.1 if you are looking for the instructions for Access Manager 1.2 please use THIS ARTICLE***

For secure, trusted access you must install an SSL server certificate on the Nervepoint Access Manager server. Access Manager only reads certificate files in the PEM format, this article shows you how to convert a PK12 or PFX file to PEM format before uploading key and certificate to your Nervepoint Access Manager server.

The steps are as follows:

  1. Convert PFX or P12 certificate and key files to PEM format
  2. From Access Manager upload any intermediate certificate files
  3. Upload the new pem formatted key into the Access Manager VM
  4. Upload the associated new pem formatted certificate into the Access Manager VM
  5. Synch the certificate over to Access Manager server

Prerequisites:

Step 1: Convert to PEM Format

NOTE: If you have requested and installed a certificate onto a Windows server using the Internet Information Service (IIS) certificate wizard, you can export that certificate with its private key to a Personal Information Exchange (PFX) file.

  1. Download and install the Win32 OpenSSL (Win32 OpenSSL v0.9.8i) package from http://www.slproweb.com/products/Win32OpenSSL.html
  2. Open a command prompt and change into the OpenSSL\bin directory:
    cd %homedrive%\OpenSSL\bin
  3. Type the following command to extract the key file out into a PEM file (all on one line):
    openssl pkcs12 -in yourcert.pfx -out newkey.pem –nocerts -nodes
    If prompted for the import password, enter the password you used when exporting the certificate to a PFX file. If prompted do not set a password on the new file.
  4. Type the following command to extract the cert file out into a PEM file (all on one line):
    openssl pkcs12 -in yourcert.pfx -out newcert.pem –nokeys
    If prompted for the import password, enter the password you used when exporting the certificate to a PFX file. If prompted do not set a password on the new file.
  5. NOTE: If you are installing these files on an Access Manager 1.1 installation you will now need to clean the PEM files, if you are importing to Access Manager 1.2 proceed straight to step 6. Now that the key and certificate have been exported the files may need to be cleaned to ensure they only contain the data that is required, open both files in a text editor and check the beginning of the text, each file must start with -----BEGIN CERTIFICATE-----, -----BEGIN PRIVATE KEY-----, or a similar entry, and end with closing line -----END CERTIFICATE-----, -----END PRIVATE KEY-----, or similar. Any text outside of this (before or after the lines) should be removed. In addition there not be any empty lines between the beginning and end of the text there should be no more than one line break at the end of the BEGIN line and one line break before the END line. Once the unwanted information is removed save these files.
  6. Now it is time to upload the new PEM files

 

Step 2: Upload the Key File

  1. Log into the VM admin console (https://<server>:10000/)
  2. Navigate to PKI Certificate and Key Management -> Import Key or Signed Certificate
  3. Use the "Upload Key" for the next step

    key.png

  4. Click 'Browse' next to the "key file to upload" field to select your newkey.pem file
  5. DO NOT change the destination file name or destination directory of key

  6. Click 'Upload Key"

Step 3:Uploading Root or Intermediate PEM Certificates

The following 2 steps use the same form to upload your CA's root and intermediate certificates as well as your issued certificate. Navigate to PKI Certificate and Key Management -> Import Key or Signed Certificate

It is important that you upload using the "Upload Certificate" button for all the following steps. Do not use the "Upload Key" option as it will overwrite your private key and require that you reset it and have your CA re-issue your certificate.

Screen-Shot-2013-02-22-at-12.01.png

 

1. Click 'Browse' next to the "Certificate file to upload" field to select your root or intermediate certificates.

2. Change the "Destination directory of the certificate to:

  •  /etc/ssl/certs/java

3. DO NOT change the destination file name of the certificate

4. Click 'Upload Certificate"

 

Step 4:Uploading your Certificate

1. Click 'Browse' next to the "Certificate file to upload" field to select your newly converted certificate pem file.

2. Ensure the "Destination directory of the certificate" shows:

  •  /etc/ssl/certs

3. DO NOT change the destination file name of the certificate

4. Click 'Upload Certificate"

 

Step 5: Synchronizing Certificate

If you have used a pre-built VM this next step will happen automatically so can be skipped. You can verify if you have a pre-built VM or that you have all the correct components installed to take advantage of the automatic process by verifying you have the VM control menu installed as shown below

vm-menu.png

If not then you will have to manually perform the certificate syncrhonization process.

 Download the attached script to your Access Manager server, apply execute permissions to it and add to your path. Whenever any certificate changes are made in webmin manually run this script to synch across the changes.

 NOTE: This script has been written for Ubuntu, minor changes may be needed to run on other operating systems.

  Download synch Script 

Have more questions? Submit a request

Comments

Powered by Zendesk