Replace the LiveUpdate Administrator certificate with a signed certificate
search cancel

Replace the LiveUpdate Administrator certificate with a signed certificate

book

Article ID: 171754

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You need to replace the certificate used for secure communications on the LiveUpdate Administrator server with a signed certificate.

Resolution

Generating a new Java Key Store container which will hold the certificate

LiveUpdate Administrator stores its certificate in a Java Key Store container (server-cert.ssl). The steps below are designed to create a new container to replace the old one. To ensure the appropriate common name (CN) and subject alternative name (SAN) are on the certificate you will need to replace "lua.mydomain.local" in several places with the Fully Qualified Domain Name (FQDN) of the LiveUpdate Administrator Server. It's possible to add more than one SAN to a certificate or certificate signing request, but this document assumes there's only need for one, the FQDN.

  1. Launch a command prompt
  2. Run the following command to start the process of creating a new Java Key Store container

    "C:\Program Files (x86)\Symantec\LiveUpdate Administrator\jre\bin\keytool" -genkeypair -keysize 2048 -keyalg RSA -alias lua.mydomain.local -storetype jks -keystore c:\windows\temp\newcert.jks -ext san=dns:lua.mydomain.local

    Provide the following when requested:

    ​Enter keystore password: password (Replace this with something more secure. The same password will be used elsewhere in the process)
    Re-enter new password: password
    What is your first and last name? [Unknown] : lua.mydomain.local
    What is the name of your organizational unit?: Symantec (replace with appropriate organizational unit)
    What is the name of your organization?: Symantec Corporation (replace with appropriate organization)
    What is the name of your City or Locality?: Springfield (replace with appropriate city)
    What is the name of your State or Province?: Oregon (replace with appropriate state or province)
    What is the two-letter country code for this unit?: US (replace with appropriate two-letter country code)
    Is CN=lua.mydomain.local, OU=Symantec, O=Symantec Corporation, L=Springfield, ST=Oregon, C=US correct?: yes (type no followed by enter to re-enter the data)
    Enter key password for : password (must be the same as above)
    Re-enter new password: password

    A new keystore with the name newcert.jks will now be placed in C:\windows\temp.

Generating the Certificate Signing Request (CSR)

  1. Launch a command prompt
  2. Run the following command to generate a CSR. The example below will results in a CSR with a common name as well as a subject alternative name equal to "lua.mydomain.local"

    "C:\Program Files (x86)\Symantec\LiveUpdate Administrator\jre\bin\keytool" -certreq -alias lua.mydomain.local -keyalg RSA -storetype jks -file c:\windows\temp\newcert.csr -ext san=dns:lua.mydomain.local -keystore c:\windows\temp\newcert.jks

    Provide the following when requested:

    Enter keystore password: password (as specified above)

    A new certificate signing request file with the name "newcert.csr" will now be placed in C:\windows\temp alongside "newcert.jks". You will need to send the CSR file or contents to the Certificate Authority for signing.

Importing root and intermediate certificates provided by certificate authority (CA), followed by importing the signed certificate provided by the same CA.

The process below assumes that the intermediate certificate is located in c:\windows\temp\intermediate.cer, that the root certificate is located in "c:\windows\temp\root.cer" and the signed certificate provided by your CA is stored in "c:\windows\temp\signedcert.cer".

  1. Run the following command to import the root certificate.

    "C:\Program Files (x86)\Symantec\LiveUpdate Administrator\jre\bin\keytool" -import -alias root -trustcacerts -storetype jks -file c:\windows\temp\root.cer -keystore c:\windows\temp\newcert.jks

    Provide the following when requested:

    Enter keystore password: password (replace with the same password used above)
    Trust this certificate? [no]: yes
    If successful, you will be notified with "Certificate was added to keystore"
     
  2. Run the following command to import the intermediate certificate.

    "C:\Program Files (x86)\Symantec\LiveUpdate Administrator\jre\bin\keytool" -import -alias intermediate -trustcacerts -storetype jks -file c:\windows\temp\intermediate.cer -keystore c:\windows\temp\newcert.jks

    Provide the following when requested:

    Enter keystore password: password (replace with the same password used above)
    Trust this certificate? [no]: yes
    If successful, you will be notified with "Certificate was added to keystore"
     
  3. Run the following command to import the signed certificate provided by your CA.

    "C:\Program Files (x86)\Symantec\LiveUpdate Administrator\jre\bin\keytool" -import -alias lua.mydomain.local -trustcacerts -storetype jks -file c:\windows\temp\signedcert.cer -keystore c:\windows\temp\newcert.jks

    Provide the following when requested:

    Enter keystore password: password (replace with the same password used above)
    If successful, you will be notified with "Certificate was added to keystore"

Replacing the current LiveUpdate Certificate keystore  with the newly created keystore

The original certificate is stored in a file called "server-cert.ssl" which is located in the root of the LiveUpdate Administrator folder i.e. "C:\Program Files (x86)\Symantec\LiveUpdate Administrator\server-cert.ssl". The process below will leave the original file in tact, in case there is something wrong with the new certificate.
 

  1. Stop the service "LUA Apache Tomcat" (if the product is busy, this may take several minutes. Do not kill the process)
  2. Stop the service "LUA PostgreSQL"
  3. Copy "C:\windows\temp\mycert.jks" to the ""C:\Program Files (x86)\Symantec\LiveUpdate Administrator" folder
  4. Create a backup copy of "C:\Program Files (x86)\Symantec\LiveUpdate Administrator\tomcat\conf\catalina.properties"
  5. Create a backup copy of "C:\Program Files (x86)\Symantec\LiveUpdate Administrator\tomcat\conf\server.xml"
  6. Edit "C:\Program Files (x86)\Symantec\LiveUpdate Administrator\tomcat\conf\catalina.properties" with notepad.exe.

    WARNING: The section below needs to be updated to include steps to encrypt the password used on the JPK keystore as documented in the article Replace Live Update Administrator certificate. Since version 2.3.7 you can now use a command to encrypt the password to the keystore. The steps below are still valid for earlier versions of LiveUpdate Administrator.
     
  7. Per the instructions in Replace Live Update Administrator certificate, comment out the following line by inserting "#":

  8. org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.symantec.lua.SSLPasswordDecrypt
    (new)
    #org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.symantec.lua.SSLPasswordDecrypt
  9. Locate the ks.password variable in "catalina.properties" and comment it out. For example:

    ks.password=YqnftEU2J5Og5oF98l6hGQ==

    (new)
    #ks.password=YqnftEU2J5Og5oF98l6hGQ=

  10. Right underneath introduce a new ks.password string with the password to the "newcert.jks" file you created above. For example:

    ks.password=password

  11. Save the changes to catalina.properties and close notepad.exe.
  12. Edit "server.xml" with notepad.exe
  13. Proceed to the following section in the file, and replace "server-cert.ssl" with "newcert.jks". For example:
     
    keystoreFile="../newcert.jks" keystorePass="${KS.EN_US}"
    ciphers="TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256" 
    protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true"
    sslEnabledProtocols = "TLSv1,TLSv1.1,TLSv1.2" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
    enableLookups="false" redirectPort="7073" acceptCount="100"
    connectionTimeout="20000" disableUploadTimeout="true" />
     
  14. Save the changes to server.xml and close notepad.exe
  15. Start the LUA services and visit the LiveUpdate Administrator console via a web-browser to check that the new certificate is in place.