Jump to content
Kaspersky Support Forum

How to create the certificate from Internal CA and change KATA SB Web UI Certificate [KATA/KEDRE]

svc_kms

Entry posted by svc_kms in How-to

15 views

 Share

To create a Certificate Signing Request file using the openssl utility:

1. Prepare a file named sandbox.config with the following contents:

[req]
default_bits=2048
prompt=no
default_md=sha256
req_extensions=req_ext
distinguished_name=dn
[dn]
C=AE
ST=North
L=Dubai
O=ABC LAB
OU=IT Security
emailAddress=security@abc.lab
CN=katasb.abc.lab
[req_ext]
subjectAltName=@alt_names
[alt_names]
DNS.1=katasb.abc.lab

image.thumb.png.4598b9554ecf7357492f616bdfff2c35.png

2. Create a private RSA key with the PEM extension (without a passphrase):

#openssl genrsa -out sandbox.key 2048

3. Create a Certificate Signing Request using the following command:

#openssl req -new -sha256 -key sandbox.key -out sandbox.csr -config sandbox.config

4. Generate the certificate (as Web Server certificate) from Internal CA in Base 64 encoded and copy the certificate and key to the KATA SB Server

Note: you might need to allow the connection using WinSCP (https://forum.kaspersky.com/topic/how-to-copy-files-tofrom-kata-katakedre-37146/ section 1.2). 
Access your internal CA from Domain Controller using https://dc.abc.lab/certsrv and follow the instructions as below screenshots.

image.thumb.png.b5ad1cd6aa24d4921b1c15754a1904ff.png

image.thumb.png.ba1322841548210a46b2ee5ad544db5d.png

image.thumb.png.6759b6bc382267530f5ba570f206dffc.png

image.thumb.png.96d23da0c30a2b02b33a741a65aeddff.png

5. To convert the DER encoded PKCS#7 file, use the following command:

#openssl x509 -inform PEM -in sandbox.cer -out sandbox.crt

6. On the Sandbox server in SSH mode, Create a backup of original files both the private key and the certificate with same rights as it was before.

#cp -p /etc/nginx/ssl/server.crt /etc/nginx/ssl/server.crt.orig

#cp -p /etc/nginx/ssl/server.key /etc/nginx/ssl/server.key.orig

7. Replace the original files with your files

#cat my_cert.crt > /etc/nginx/ssl/server.crt

#cat my_cert.key > /etc/nginx/ssl/server.key

8. Rights and owner of the files should be same

#ll /etc/nginx/ssl

-rw-r----- 1 root klusers 2008 Feb  8 15:51 server.crt

-rw------- 1 root root    1732 Feb  8 15:51 server.key

9. If the rights are different for the new files, then use the below command to change the rights and ownership

#chmod 640 server.crt

#chown root:klusers server.crt

#chmod 600 server.key

#chown root:root server.key

10. Restart nginx service

#systemctl restart nginx.service

11. Open the KATA SB Web UI using the hostname and verify the certificate.

image.thumb.png.5bcdd2505a4d17e18257207ced5ed151.png

 Share

0 Comments

Recommended Comments

There are no comments to display.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...