Generating a Microsoft CA signed certificate for NetVault Webservice (WebUI) (4038347)

Potential Certificate Warning When Accessing NetVault WebUI

When opening the NetVault WebUI in a web browser, you might encounter a certificate warning similar to the one shown below. This typically occurs when the browser doesn't trust the SSL certificate presented by the NetVault server.

• Self-Signed Certificate: The NetVault server is using a self-signed certificate which is not automatically trusted by browsers.
• Certificate Expiration: The certificate might have expired.
• Hostname Mismatch: The certificate's common name or subject alternative names might not match the hostname you are using to access the WebUI.

In this example, the certificate was replaced using a Microsoft Enterprise CA. (A certificate generated with OpenSSL will also suffice.)

To generate a certificate (CRT) and private key file (KEY) using Active Directory Certificate Services (AD CS) on a Windows Server 2022 Domain Controller, follow these steps:

Prerequisites

1. Active Directory Certificate Services (AD CS) Installed: Ensure that AD CS is installed and configured on your Windows Server 2022 Domain Controller.
2. Administrator Privileges: Ensure you have administrative privileges to perform these tasks.

Steps

1. Open the Certification Authority Console

   1. Log in to the Windows Server 2022 Domain Controller.
   2. The Certification Authority console should be opened by searching for it in the Start menu or by running certsrv.msc.
   
    

1. Create a Certificate Template

   1. In the Certification Authority console, the CA server should be expanded, and Certificate Templates should be right-clicked, then Manage should be selected.
   2. In the Certificate Templates Console, the desired template (e.g., Web Server) should be right-clicked, and Duplicate Template should be selected.
   3. In the Properties of New Template dialog, an appropriate name should be given on the General tab.
   4. On the Request Handling tab, the option Allow private key to be exported should be checked if the key export is required.
   5. On the Security tab, it should be ensured that the NetVault computer object has permissions to enroll and auto-enroll.
   6. The new template should be created by clicking OK.
   
   
    

2. Issue the New Certificate Template

   1. The Certification Authority console should be returned to.
   2. Certificate Templates should be right-clicked, then New and Certificate Template to Issue should be selected.
   3. The template that was just created should be selected, and OK should be clicked.
   
    

3. Request a New Certificate

   1. The Certificates snap-in should be opened for the NetVault Server by running certlm.msc for the local machine.
   2. The Personal store should be right-clicked, then All Tasks, and Request New Certificate should be selected.
   3. The Certificate Enrollment wizard should be followed.
   

   To retrieve the full CN (Common Name) of the NetVault Server, the following PowerShell command should be run:

   Get-ADComputer -Identity JHOOPER-NVSERVER | select-object DistinguishedName

   NOTE: The value JHOOPER-NVSERVER is used as an example in the Identity parameter, this value should be replaced with the NetVault Server name for which the certificate is being requested. The Identity parameter is responsible for uniquely identifying the computer object in Active Directory. When used, the Get-ADComputer cmdlet retrieves the Distinguished Name (DN) of the specified computer object, which is necessary for the certificate request.

   The Active Directory module for Windows PowerShell should be installed by issuing the following command:

   Get-WindowsFeature -Name RSAT-AD-PowerShell

   If the module is available but not loaded into the current PowerShell session, it should be imported using this command:

   Import-Module ActiveDirectory

   Alternatively, if not installed, the following command should be used to install it:

   Install-WindowsFeature -Name "RSAT-AD-PowerShell"

   Under Alternative Name, DNS should be chosen, and the hostname, "localhost," along with the server’s IP address and loopback address, should be entered.

   • Active Directory Enrollment Policy should be selected.
   • The template that was created and configured should be chosen.
   • The information required to enroll for the certificate should be provided:
     • Full DN, e.g., CN=JHOOPER-NVSERVER,CN=Computers,DC=sandbox,DC=local
    
   
    
   Certificate Properties

4. Export the Certificate and Private Key

   1. After the certificate is issued, the Certificates snap-in should be returned to.
   2. The newly issued certificate should be located under the Personal store.
   3. The certificate should be right-clicked, then All Tasks, and Export should be selected.
   4. In the Certificate Export Wizard:
      • The option Yes, export the private key should be chosen.
      • Personal Information Exchange - PKCS #12 (.PFX) format should be selected.
      • It should be ensured that Include all certificates in the certification path if possible and Export all extended properties are checked.
      • A password for the PFX file should be set.
      • A location for saving the PFX file should be chosen.

5. Extract the CRT and KEY Files from the PFX File

   1. The PFX file should be transferred to a system where OpenSSL is available (either on a Linux machine or a Windows machine with OpenSSL installed).
   2. OpenSSL commands should be used to extract the certificate and private key from the PFX file:

   openssl pkcs12 -in yourfile.pfx -nocerts -out server.key -nodes

   openssl pkcs12 -in yourfile.pfx -clcerts -nokeys -out server.crt

6. Verify the Output Files

   1. It should be ensured that two files, server.crt and server.key, have been created.
   2. The server.crt and server.key should be replaced in the NetVault Server, located at C:\Program Files\Quest\NetVault\etc for Windows or /usr/netvault/etc for Linux.