Management Center (MC) uses the self-signed certificate on the management web interface by default. If you wish to create a signed certificate this has to be done off the box as MC cannot create the key pair and the Certificate Signing Request (CSR).
With self-signed certificate the customer gets the browser error complaining about the untrusted certificate.
All browsers come with a certificate trust store that has all public root Certificate Authorities (CA). Since the MC certificate is self-signed the customer can eliminate the browser untrusted certificate issue by using a certificate signed by their trusted CA.
Create keyring in OpenSSL: openssl genrsa -out mc.key 2048
Create the Certificate Signing Request (CSR) in OpenSSL: openssl req -new -sha256 -key mc.key -out mc.lab.local.csr
One thing to note is that the Common Name (CN) field should be matching to either the FQDN or the IP address of the MC, depending how you are going to access it.
Sign with the internal CA; add the Subject Alternate Name (SAN) for for Chrome support - TECH246317. If you do not add the SAN chrome will fail the certificate check:
An even easier option if the CA is Microsoft CA, is to simply add the string in the attribute box during the Web Enrollment as described by Microsoft
Take the signed certificate and the mc.key and create a .pfx: openssl pkcs12 -inkey mc.key -in mc.lab.local.crt -export -out mc.lab.local.pfx
Name: defaultcertkey Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate: Owner: CN=10.91.17.106, OU=0801418817, O=Blue Coat Management Center Issuer: CN=10.91.17.106, OU=0801418817, O=Blue Coat Management Center Serial number: ea3014fd27d456cb Valid from: Thu Dec 28 15:22:20 UTC 2017 until: Sat Dec 28 15:22:20 UTC 2019 Certificate fingerprints: MD5: 4C:B0:41:11:50:9E:F7:76:A1:9D:7D:E3:45:F4:4F:A2 SHA1: E4:09:42:AC:DB:C2:AE:6F:F0:5E:92:09:36:40:4A:8D:48:7F:52:F1 SHA256: 94:8F:43:20:05:24:00:4C:4B:66:2B:2F:53:AB:A7:3E:C2:76:6D:39:54:54:E0:69:E0:38:9B:94:BB:0E:E5:49 Signature algorithm name: SHA256withRSA Version: 3 Management Center#
9. Add the Root CA that signed it:
Management Center# security ssl import external-certificate lab.local.cer ftp://Enter server username (optional): admin Enter server password: Downloading certificate... 220 Microsoft FTP Service 331 Password required for admin. 230 User logged in. 257 "/" is current directory. 250 CWD command successful. 229 Entering Extended Passive Mode (|||56109|) 200 Type set to I. 213 1261 125 Data connection already open; Transfer starting. 226 Transfer complete. Inspecting certificate file...
Please verify this is the correct certificate to import:
------------------Output omitted for brevity--------------
Are you sure you want to import this as a trusted certificate? [y/N] Importing certificate... Certificate imported.
10. Restart the web-management service: Management Center# restart services
*NOTE - the certificate will not show but will be there- you confirm this by navigating to the MC.
Management Center# security ssl list server-certificates
The following server certificates have been installed:
11. Verify that the server and external (root) certificates have been imported.
Management Center# security ssl list external-certificates all
Use space bar to show more.
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.