The Symantec Scan Engine management interface is accessible via the HTTPS protocol on for example https://hostname:8004, but the certificates are self-signed. The Symantec Scan Engine management interface however also supports signed certificates. These signed certificates can be imported via the Certificate Import Utility, but need to be in PFX/PKCS#12 format. This article demonstrates the steps that are necessary to generate a CSR (Certificate Signing Request) and how to import and convert the signed certificate for use with the Scan Engine management interface.
As noted above, the certificates used by the default Scan Engine management interface are self-signed which will cause the web-browser to generate warnings. These are some of the error messages you may encounter:
Upon reviewing the certificate you will notice that the certificate was issued to Symantec Scan Engine 5.1 and was issued by Symantec Scan Engine 5.1 and should be valid for 5 years from the date you installed Symantec Scan Engine 5.1 for Windows.
Java will also generate warning messages:
These warning messages are expected behavior and do not indicate a problem with the product. The benefit of using a signed certificate is that these type of warning messages should no longer be displayed.
Before you can generate a CSR on a machine that is running Symantec Scan Engine 5.1, you will need to obtain a copy of the OpenSSL binary (executable). To obtain information about OpenSSL you should visit the following websites:
Generating a Key Pair and CSR for an Apache Server with modssl
Shining Light Productions - Win32 OpenSSL
(At the time this document was created, the latest Win32 OpenSSL binary version is v0.9.8e Light)
After installing the Win32 binary, OpenSSL will install itself into the "C:\OpenSSL" folder. The "openssl.exe" binary can be found in the "C:\OpenSSL\bin" folder.
This binary will be used to create a private key, to generate a CSR and to combine the private key and the signed certificate into a p12-bundle that can be imported with the Scan Engine Certificate Import Utility. After installing OpenSSL, please use a command prompt (cmd.exe) to proceed to the "C:\OpenSSL\bin" folder:
In the steps below the host-name "scanengine.example.local" will be used as an example.
How to generate the private key
How to generate the CSR (Certificate Signing Request)
OPTIONAL: How to generate a self-signed certificate
After you have received the certificate or created a self-signed certificate, you will need to combine the private key and the certificate into a p12-bundle that can be imported with the Scan Engine Certificate Import Utility.
NOTE: If you used Microsoft Certificate Services to generate the certificate, ensure that the certificate is downloaded in base64 encoded format.
How to combine the private key and a certificate into a p12-bundle
NOTE: Since the name of the file provided by the third party entity may be different from what is shown in the example above, you may need to replace "scanengine.example.local.crt" with the true name of the file.
How to import the p12-bundle with the Scan Engine Certificate Import Utility
Restart the service and close and re-open your web browser
This completes the procedure. The Scan Engine server should now use the new certificate for secure communication with the Scan Engine Management Interface.
OpenSSL: The Open Source Kit for SSL/TLS
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.