Generating a Microsoft CA signed certificate for NetVault Webservice (WebUI) in version 10.x
When opening the WebUI of NetVault 10.x in a Web Browser a certficate warning might appear.
When installing NetVault Server 10.x a self-signed certificate is generated. This causes a certificate warning in most Web Browsers when you open the URL of NetVault's Management WebUI.
In this example, we replaced the certificate using a Microsoft Enterprise CA. (A certificate generated with OpenSSL will be sufficient as well)
Used Software: Windows Server 2012 R2 Enterprise Installed and configured role: Active Directory Certificate Services (Enterprise CA) OpenSSL for Windows
[Windows Enterprise CA] 1. Open the Certificate Authority Management Console 2. Expand your Top Level CA and navigate to "Certificate Templates" 3. Right-click on "Certificate Templates" and select "Manage" 4. Right-click on the template "Web Server" and select "Duplicate Template" 5. Change the following values: General: Give the template a name (e.g. nvweb) General: Change validity period (to e.g. 5 years) Request Handling: Select "Allow private key to be exported" Extensions: --> Select "Key Usage" --> Select "Edit" Additionally select "Signature is proof of origin (nonrepudiation)" and "Allow encryption of user data" 6. Go back into the Certificate Authority Management Console 7. Right-click "Certificate Templates" --> "New" --> "Certificate Template to Issue" --> Select the newly created template "e.g. nvweb"
[NetVault Server or another server that has access to the Microsoft CA] 1. Open e.g. Internet Explorer and navigate to your Microsoft CA (e.g. https://windca.ab.local/certsrv) 2. Select a task: "Request a certificate" 3. Select "Or, submit an advanced certificate request" 4. Select "Create and submit a request to this CA" 5. Pick up the correct Certificate Template e.g. "nvweb" 6. Fill out the Information for the certificate (Name = The Name of the Operating system where NetVault Server is installed) Info: Country/Region: Only 2 digits are allowed e.g. IE for Ireland 7. Key Options: Select "Mark keys as exportable" and change "Key Size" to "2048" 8. Additional Options: Request Format: PKCS10 (If CSP allows, set Hash Algorithm to sha256) 9. Submit
[Retrieve the certificate] 1. Retrieve the certificate (issued automatically or manually by the CA Administrator) 2. Select "Install this certificate" 3. The certificate is now stored in the Microsoft Certificate Store on this Machine (Folder Personal Certificates) 4. Go to Internet Options in the Windows Internet Explorer and select "Content" --> "Certificates" 5. Export the newly installed certificate by clicking on "Export" Options for Export: --> Yes, export the private key --> Personal Information Exchange - PKCS #12 (.PFX) Select all three options (Include all certificates in the certification path if possible, Delete the private key if the export is successful, Export all extended properties) --> Type in a password (This will be needed for the next steps outlined in the OpenSSL section) --> Save the file (pfx) e.g. server.pfx
[OpenSSL] 1. Extraction of the private key: openssl.exe pkcs12 -in server.pfx -nocerts -nodes -out server1.key
3. Extraction of the public key: openssl.exe pkcs12 -in server.pfx -clcerts -nokeys -out server.crt
[Installing the new certificate / NetVault Server] 1. Navigate to the folder "C:\Program Files (x86)\Quest\NetVault Backup\etc" (path may be different) 2. Do not skip this step: Take a backup of server.key and server.crt 3. Stop the NetVault Process Manager Service and make sure no jobs are running 4. Copy the new certificate into the etc folder and replace the existing certificate and private key 5. Start the NetVault Process Manager Service again
With these steps the certificate exchange is finished.