Installing an appliance certificate to avoid a browser SSL certificate challenge

Use Guardium® CLI commands to create a certificate signing request (CSR), and to install server, certificate authority (CA), or trusted path certificates on your Guardium system. Installing certificates allows your site to connect to the Guardium GUI without security warnings such as This site is not secure, or Your connection is not private.

About this task

For more information about certificate CLI commands, see Certificate CLI Commands.
  • You must provide a public certificate from a certificate authority (CA) that you can use to sign your certificates. For example, Verisign, Thawte, Geotrust, GoDaddy, Comodo, or in-house).
  • Guardium does not provide CA services and does not ship systems with different certificates other than the default certificate. To use your own certificate, certificate you must contact a third-party CA.
  • If the certificate is not self-signed, you must obtain the public certificate for each signer up to the lowest level (for example, that is self-signed). You can use the openssl x509 -in t.pem -text -noout command to show contents of a x509 certificate.
  • You can obtain and store the public certificate of the CA (step 1) either before or after you generate the CSR (step 2).

Procedure

  1. Have the public certificate from the CA that you need to sign your certificates available.
  2. Log in to the CLI and enter the following command:
    create csr gui
    Enter the requested information. If the CN (common name) of the certificate is not set to the hostname.domain of the system, the browser responds with certificate errors.
    Note: If the Common Name (CN=) field starts with a number and is used as an identifier, it must have an ID: prefix. For example, ID:1234.

    You are prompted to supply the organizational unit (OU), country code (C), and so forth. Be sure to enter this information correctly. The last prompt is:

    What encryption algorithm should be used (1=DSA or 2=RSA)?
    The default encryption algorithm is RSA (2). DSA (Digital Signature Algorithm) is a federal information processing standard (FIPS) for digital signatures. RSA is a public-key cryptosystem that involves key generation, encryption, and decryption.

    After you select a decryption algorithm, the system displays a description of the request, followed by the request itself, and some additional instructions. For example,

    Certificate Request: 
    Data: 
    Version: 0 (0x0) 
    Subject: C=US, ST=MA, L=Littleton, O=XYZCorp, OU=Accounting, CN=g2.xyz.com
    
    -----BEGIN NEW CERTIFICATE REQUEST----- 
    MIICWjCCAhcCAQAwVDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB1dhbHRoYW0xETAPBgNVBAoTCEd1 
    YXJkaXVtMRUwEwYDVQQLEwxndWFyZGl1bS5jb20xCTAHBgNVBAMTADCCAbgwggEsBgcqhkjOOAQB 
    MIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2 
    y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQT 
    WhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3e 
    y7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8 
    FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB 
    TDv+z0kqA4GFAAKBgQCONsEB4g4/limbHkuZ5YnLn9CGM3a2evEnqjXZts4itxeTYwPQvdkjdSmQ 
    kaQlBxmNUsZOJZrq5nC5Cg3X9spa+BzFr+PgR/5zka17nHcxKXCjVjLk451L67KllXv61TUfv/bU 
    PKmiaGKDttsP2ktG4dBFXQdICJEGo0aNFCYn6qAAMAsGByqGSM44BAMFAAMwADAtAhUAhHTY5z9X 
    NiBAuyAC9PS4GzleYakCFF2kcfxfjX1BFy5I228XWMAU0N95 
    -----END NEW CERTIFICATE REQUEST-----
    
    **************************************************************************
    
    Copy and paste the Certificate Signing Request (CSR), starting at the
    '-----BEGIN NEW CERTIFICATE REQUEST-----' tag and ending at the '-----END
    NEW CERTIFICATE REQUEST-----' tag, to a file. The CSR file will need to be
    provided to a Certificate Authority (CA) of your choice in order to obtain
    a valid certificate. Please note that the certificate will need to be in PEM
    format so that it can be imported into the Guardium appliance. Once you receive
    the certificate from your CA, use the following CLI command to start the import
    process:
    
    		<< store certificate gui >>
    Note:
    • For Common Name, enter the hostname in FQDN format (fully qualified domain name). If you connect to the GUI normally using the short hostname (for example, system1) instead of the FDQN (system1.us.ibm.com), Guardium returns an Address Mismatch certificate error. Either change the CN to use the FDQN, or connect with https://system1.us.ibm.com:8443/sqlguard to use the certificate.
    • Country Code must be two letters.
    • Keysize can be 1024 or 2048.
  3. After the CA signs the CSR and returns a signed key, log in to the CLI and enter the following command:
    store certificate gui console
    The system returns with the following output:
    Please paste your End-Entity certificate below in PEM encoded format. A certificate in
    PEM encoded format should include the '-----BEGIN CERTIFICATE-----' and '-----END
    CERTIFICATE-----' tags. The Certificate Authority (CA) Root and Intermediate
    certificate(s) (if applicable) will also need to be pasted at this time for
    validation purposes. Please ensure that all certificates are in PEM format and
    include the aforementioned tags. When pasting multiple certificates, please make
    sure that each certificate is pasted on a new line in the following order:
    
    	-----BEGIN CERTIFICATE-----
    	(End-Entity certificate)
    	-----END CERTIFICATE-----
    	-----BEGIN CERTIFICATE-----
    	(Intermediate certificate(s) - if applicable)
    	-----END CERTIFICATE-----
    	-----BEGIN CERTIFICATE-----
    	(Root certificate)
    	-----END CERTIFICATE-----
    
    Once done pasting your certificate(s), press ENTER followed by CTRL-D to continue.
  4. After you load the certificate, the system asks if the certificate matches the existing CSR request.
    If you enter yes, the system responds with the following warning: WARNING: Alias "tomcat" already exists. Are you sure that you want to replace it [y/n]? Enter "y" for yes.
    The system responds with the success or failure of the store operation.
  5. Paste the certificate chain together in order, starting with the appliance certificate first and the root certificate last. The GUI restarts automatically. If needed, restart the GUI manually.

Results

A certificate for one Guardium unit is installed.

What to do next

Repeat the steps for every Guardium system onsite.