How to install an appliance certificate to avoid a browser SSL certificate challenge

Use IBM Security Guardium CLI commands to create a certificate signing request (CSR), and to install server, certificate authority (CA), or trusted path certificates on your Guardium® system.

About this task

Eliminate the Certificate Error warning screens saying: 
There is a problem with this website's security certificate.  The security certificate presented by this website was issued  for a different website's address. Security certificate problems may indicate an attempt to fool  you or intercept any data you send to the server.

See Certificate CLI Commands for more information on all the certificate commands.

Note: One prerequisite is that you must provide a public certificate from a CA you will be using to sign your certificates (Verisign, Thwate, Geotrust, GoDaddy, Comodo, within-your-company, etc).
Note: Guardium does not provide CA services and will not ship systems with different certificates than the one installed by default. A customer that wants their own certificate will need to contact a third-party CA.
Note: If the certificate is not self-signed, you MUST obtain also the public certificate for each signer up to the lowest level (for example, the certificate that is self-signed). You can use the command, openssl x509 -in t.pem -text -noout, to show contents of a x509 certificate.

Procedure

  1. Have available the public certificate from the CA (Certificate Authority) you will be using to sign your certificates (from Verisign, Thwate, Geotrust, GoDaddy, Comodo, in-house, etc).
  2. Log into the CLI on the individual Guardium system you wish to have a signed certificate on.

    Before executing the command, obtain the appropriate certificate (in PEM format, not binary format) from your CA, and copy the certificate, including the Begin and End lines, to your clipboard.

  3. Enter the command, store certificate keystore. The following prompt will be displayed: 
    What is a one-word alias we can use to uniquely identify this certificate?

    Enter a one-word name for the certificate and press Enter.

    The following instructions will be displayed:

    Please paste your CA certificate, in PEM format. Include the BEGIN and END lines, and then press CTRL-D.

    Paste the PEM-format certificate to the command line, then press CRTL-D. You will be informed of the success or failure of the store operation.

    Now the CA you will sign with is set as trusted on the Guardium system.

  4. Next, from the CLI command prompt, type: create csr gui.

    Fill in the requested information. If the CN (common name) of the certificate is not set to the hostname.domain of the box, certificate errors from the browser will result.

    There are no parameters, but you will be prompted to supply the organizational unit (OU), country code (C), and so forth. Be sure to enter this information correctly. The last prompt is as follows:

    What encryption algorithm should be used (1=DSA or 2=RSA)?

    DSA, or the Digital Signature Algorithm, is a federal information processing standard (FIPS) for digital signatures. RSA is a public-key cryptosystem that involves key generation, encryption, and decryption. The default encryption algorithm is RSA.

    After you respond to the last prompt, the system displays a description of the request, followed by the request itself, and followed finally by additional instructions. For example:

    This is the generated CSR: Certificate Request: Data: Version: 0 (0x0) Subject: C=US, ST=MA, L=Littleton, O=XYZCorp, OU=Accounting, CN=g2.xyz.com -----BEGIN NEW CERTIFICATE REQUEST-----                     MIICWjCCAhcCAQAwVDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB1dhbHRoYW0xETAPBgNVBAoTCEd1 YXJkaXVtMRUwEwYDVQQLEwxndWFyZGl1bS5jb20xCTAHBgNVBAMTADCCAbgwggEsBgcqhkjOOAQB MIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2 y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQT WhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3e y7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8 FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB TDv+z0kqA4GFAAKBgQCONsEB4g4/limbHkuZ5YnLn9CGM3a2evEnqjXZts4itxeTYwPQvdkjdSmQ kaQlBxmNUsZOJZrq5nC5Cg3X9spa+BzFr+PgR/5zka17nHcxKXCjVjLk451L67KllXv61TUfv/bU PKmiaGKDttsP2ktG4dBFXQdICJEGo0aNFCYn6qAAMAsGByqGSM44BAMFAAMwADAtAhUAhHTY5z9X NiBAuyAC9PS4GzleYakCFF2kcfxfjX1BFy5I228XWMAU0N95 -----END NEW CERTIFICATE REQUEST-----
    Note: For Common Name, use hostname in FQDN format (fully qualified domain name). But if you connect to the GUI normally using the short hostname (for example, system1) instead of FDQN (system1.us.ibm.com), you will get a certificate error "Address Mismatch" you will either have to change the CN=system1 or connect with https://system1.us.ibm.com:8443/sqlguard to make use of the certificate.
    Note: Country Code must be 2 letters.
    Note: Keysize can be 1024 or 2048.
  5. Copy and paste the generated hash from ---Begin CSR---- to ---End CSR--- into a text document. Now send this off to your CA for them to return the signed key.

    Before continuing, check the Subject line to verify that you have entered your company information correctly. From this point forward, use whatever procedure you would normally use to obtain a server certificate from your CA.

    Note: • When submitting the request to your CA make sure you request the certificate to be in PKCS#7 PEM format.
  6. The CA signs the CSR and sends you back your signed key.
  7. Now, go back to the CLI prompt on the Guardium system and have the signed key from the CA handy. Type the following: store certificate gui.

    Enter the command exactly as shown. You will receive the following information and prompt:

    Please paste your new server certificate, in PEM format.

    Include the BEGIN and END lines, and then press CTRL-D.

    Paste the PEM-format certificate to the command line, then press CRTL-D. You will be informed of the success or failure of the store operation.

    -----BEGIN CERTIFICATE----- MIIDvTCCAqegAwIBAgIBATALBgkqhkiG9w0BAQUwcjELMAkGA1UEBhMCVVMxEzAR BgNVBAgTCldhc2hpbmd0b24xDzANBgNVBAcTBllha2ltYTEMMAoGA1UEChMDSUJN MRUwEwYDVQQLEwxHdWFyZGl1bURlbW8xGDAWBgNVBAMTD0d1YXJkaXVtRGVtb19D QTAeFw0xMTAzMjUxNTM1MTRaFw02OTEyMzEyMzU5NTlaMHIxCzAJBgNVBAYTAlVT MRMwEQYDVQQIEwpXYXNoaW5ndG9uMQ8wDQYDVQQHEwZZYWtpbWExDDAKBgNVBAoT A0lCTTEVMBMGA1UECxMMR3VhcmRpdW1EZW1vMRgwFgYDVQQDEw9HdWFyZGl1bURl bW9fQ0EwggEgMAsGCSqGSIb3DQEBAQOCAQ8AMIIBCgKCAQEAw08aZVJNdnC69LR6 YtvHO+KbsqA89vCezLw7xmEa7F6+io0NofIFX7b7FvSkxzx1SO4eStaQSTDBxOGk mqK2vk3VeJk9+lItofUuQXl1CZ1R4wQPMRfaWgELt+t94XB3Y1zmI68vwfr1fB32 u3Yjpt4aq27sTMrjEqZIyDqQ7hQ1tpMtoBUqNi54wN+OJjhtpNYDAkCHs+3NPqXE 6HeL7W5X6PJ+YCyyZiXeqQ+T8qdpH0KDVJGJLGX1YC+0WnQz/S2kaaRfxe6Nhe6q YeYaD09tlWkVrZQm8a76SDULjzjrQ4wNoTJu17JQk7Uc835RE/bF5WMsaN5HGs3s 9zP3uwIDAQABo2QwYjAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBgAw HQYDVR0OBBYEFINmKThm8tA+Z8cyFC7MOZ7v398SMB8GA1UdIwQYMBaAFINmKThm 8tA+Z8cyFC7MOZ7v398SMAsGCSqGSIb3DQEBBQOCAQEAcXttcJwy1aowq9wtJksK q6n6laEFR38i+pLJ6kArjoJGP5WxFdaYcDQr5cAw2Q6YFZvQGaYAqiSS6ezF20PT 3BrrP+Mg/SK8jgPvM0ekodmpr385iQqSDneTTwPPrIaQBrrtb2510wHSEyiVcRRI 4vn3ktVahjiSMD92bfmZilPYQ51pD0jFgGFFRvekulPWGWv7iuCT+alCM99/76xR uWrRc7cxypfxK1yymptizZVrxLHS47VVoXzmZ7yO3kfhhdZbBmoXg1MDM82rVdnp WVQdlSasn8deHaVG//RsCrWx4PxN8TVIDGbfh0nWRYU4zPORvWst3fa+h9B2W55z /A== -----END CERTIFICATE-----
  8. For the final step, restart the UI using the command restart gui.

    You have now successfully installed one certificate for one Guardium unit. Repeat the steps for every Guardium system on-site.

Parent topic: Managing your Guardium system