Installing an appliance certificate to avoid a browser SSL certificate challenge
Use Guardium® CLI commands to create a certificate signing request (CSR), and to install server, certificate authority (CA), or trusted path certificates on your Guardium system. Installing certificates allows your site to connect to the Guardium GUI without security warnings such as This site is not secure, or Your connection is not private.
About this task
- You must provide a public certificate from a certificate authority (CA) that you can use to sign your certificates. For example, Verisign, Thawte, Geotrust, GoDaddy, Comodo, or in-house).
- Guardium does not provide CA services and does not ship systems with different certificates other than the default certificate. To use your own certificate, certificate you must contact a third-party CA.
- If the certificate is not self-signed, you must obtain the public certificate for each signer up to the lowest level (for example, that is self-signed). You can use the openssl x509 -in t.pem -text -noout command to show contents of a x509 certificate.
- You can obtain and store the public certificate of the CA (step 1) either before or after you generate the CSR (step 2).
- Have the public certificate from the CA that you need to sign your certificates available.
- Log in to the CLI and enter the following
Enter the requested information. If the CN (common name) of the certificate is not set to the hostname.domain of the system, the browser responds with certificate errors.
create csr guiNote: If the Common Name (CN=) field starts with a number and is used as an identifier, it must have an ID: prefix. For example,
You are prompted to supply the organizational unit (OU), country code (C), and so forth. Be sure to enter this information correctly. The last prompt is:
The default encryption algorithm is RSA (2). DSA (Digital Signature Algorithm) is a federal information processing standard (FIPS) for digital signatures. RSA is a public-key cryptosystem that involves key generation, encryption, and decryption.
What encryption algorithm should be used (1=DSA or 2=RSA)?
After you select a decryption algorithm, the system displays a description of the request, followed by the request itself, and some additional instructions. For example,
Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=MA, L=Littleton, O=XYZCorp, OU=Accounting, CN=g2.xyz.com -----BEGIN NEW CERTIFICATE REQUEST----- MIICWjCCAhcCAQAwVDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB1dhbHRoYW0xETAPBgNVBAoTCEd1 YXJkaXVtMRUwEwYDVQQLEwxndWFyZGl1bS5jb20xCTAHBgNVBAMTADCCAbgwggEsBgcqhkjOOAQB MIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2 y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQT WhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3e y7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8 FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB TDv+z0kqA4GFAAKBgQCONsEB4g4/limbHkuZ5YnLn9CGM3a2evEnqjXZts4itxeTYwPQvdkjdSmQ kaQlBxmNUsZOJZrq5nC5Cg3X9spa+BzFr+PgR/5zka17nHcxKXCjVjLk451L67KllXv61TUfv/bU PKmiaGKDttsP2ktG4dBFXQdICJEGo0aNFCYn6qAAMAsGByqGSM44BAMFAAMwADAtAhUAhHTY5z9X NiBAuyAC9PS4GzleYakCFF2kcfxfjX1BFy5I228XWMAU0N95 -----END NEW CERTIFICATE REQUEST----- ************************************************************************** Copy and paste the Certificate Signing Request (CSR), starting at the '-----BEGIN NEW CERTIFICATE REQUEST-----' tag and ending at the '-----END NEW CERTIFICATE REQUEST-----' tag, to a file. The CSR file will need to be provided to a Certificate Authority (CA) of your choice in order to obtain a valid certificate. Please note that the certificate will need to be in PEM format so that it can be imported into the Guardium appliance. Once you receive the certificate from your CA, use the following CLI command to start the import process: << store certificate gui >>Note:
- For Common Name, enter the hostname in FQDN format (fully qualified domain name). If you connect to the GUI normally using the short hostname (for example, system1) instead of the FDQN (system1.us.ibm.com), Guardium returns an Address Mismatch certificate error. Either change the CN to use the FDQN, or connect with https://system1.us.ibm.com:8443/sqlguard to use the certificate.
- Country Code must be two letters.
- Keysize can be 1024 or 2048.
- After the CA signs the CSR and returns a signed key, log in to the CLI and enter the
The system returns with the following output:
store certificate gui console
Please paste your End-Entity certificate below in PEM encoded format. A certificate in PEM encoded format should include the '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' tags. The Certificate Authority (CA) Root and Intermediate certificate(s) (if applicable) will also need to be pasted at this time for validation purposes. Please ensure that all certificates are in PEM format and include the aforementioned tags. When pasting multiple certificates, please make sure that each certificate is pasted on a new line in the following order: -----BEGIN CERTIFICATE----- (End-Entity certificate) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Intermediate certificate(s) - if applicable) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Root certificate) -----END CERTIFICATE----- Once done pasting your certificate(s), press ENTER followed by CTRL-D to continue.
- After you load the certificate, the system asks if the certificate
matches the existing CSR request. If you enter yes, the system responds with the following warning: WARNING: Alias "tomcat" already exists. Are you sure that you want to replace it [y/n]? Enter "y" for yes.The system responds with the success or failure of the store operation.
- Paste the certificate chain together in order, starting with the appliance certificate first and the root certificate last. The GUI restarts automatically. If needed, restart the GUI manually.