Generate New Web Certificate for UEB with Name to Match Configured One in GUI

Mindwatering Incorporated

Author: Tripp W Black

Created: 11/03 at 10:43 AM

 

Category:
Linux
Other

Issue:
When you name the UEB appliance during setup, it doesn't bother to actually update the certificate in use. The certificate doesn't match and it eventually expires if you are fortunate enough to keep your UEB appliance that long. Most issues with backup corruption requires a rebuilt of the appliance, so we don't actually expire all that often. The result is that modern browsers refuse connection with missmatched host names and expired. It also has no CA chain which also isn't helpful.

Task:
Issue an OpenSSL certificate that modern browsers can "Proceed Anyway" and use.

1. Backup the current localhost.key and localhost.crt files.
$ cd /etc/pki/tls/private/
$ sudo cp localhost.key localhost_backup2022.key
$ cd /etc/pki/tls/certs/
$ sudo cp localhost.crt localhost_backup2022.crt

Option w/config file:
2. Create a config file for OpenSSL to use. Include any SAN subject alternates in the file.
(We'll move the files afterwards.)
$ cd /etc/pki/tls
$ sudo vi uebssl.cnf
<i> (insert mode)
[ req ]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = North Carolina
localityName = Wake Forest
organizationName = Mindwatering
commonName = ueb123.mindwatering.local
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = ueb123.mindwatering.net
DNS.2 = ueb123
IP.1 = 10.0.97.104
<esc>:wq (save and close)


3. Create the CSR using the config file.
$ sudo openssl req -out ueb123.csr -newkey rsa:4096 -nodes -keyout ueb123.key -config uebssl.cnf
<wait>

Note:
You can review/proof what was created with:
$ openssl req -noout -text -in ueb123.csr


4. Create the new cert from the CSR:
$ sudo openssl x509 -req -sha256 -days 3650 -in ueb123.csr -signkey ueb123.key -out ueb123.crt -extfile uebssl.cnf -extensions req_ext


<---- 2. Second Alternate Option w/o config file and w/o a CSR (after 2017 version):
$ sudo openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout ueb123.key -out ueb123.crt -subj "/CN=ueb123.mindwatering.local" -addext "subjectAltName=DNS:ueb123.mindwatering.com,DNS:ueb123,IP:10.0.97.104"


5. Copy the files into the final positions:
$ sudo mv ueb123.key ./private/localhost.key
mv: overwrite ‘./private/localhost.key’? y

$ sudo mv ueb123.crt ./certs/localhost.crt
mv: overwrite ‘./certs/localhost.crt’? y


6. Reboot to verify persistance..
$ sudo reboot







previous page