Versions Compared

Old Version 7

changes.mady.by.user Niko Puruskainen

Saved on

compared with

New Version 12

changes.mady.by.user Andrew Skinner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Created DateUpdated DateAffects versionFix Version

 

 

All

Description

These general instructions can be used to install a new SSL certificate on a BMC server.

Instructions

Check current certificate from BMC Keystore:

Code Block
keytool -list -v -keystore “C:\Program Files\Blancco\Blancco Management Console\apache-tomcat\conf\keystore.jks”

...

ui-

...

tabs
UI Tab
titleCER

Using the Java keytool.exe, you can follow the steps below to install a new SSL certificate on your BMC server.

  1. Stop the BMC service.
  2. (OPTIONAL) Create a new keystore/keypair.
  3. Create a new CSR for the existing BMC self-signed cert or for your new keystore/keypair.
  4. Import signed cert keychain or root and intermediate CA in to your keystore.
  5. Import CA-signed certificate and apply the same to the keypair.
  6. Update the "keystoreFile" and "keystorePass" values in the server.xml file located under "\Blancco Management Console\apache-tomcat\conf" to reflect any changes associated with key/cert.
  7. Restart the BMC service.

Run commands on Command Prompt which is opened with administrator privileges

Step 1: Stop the BMC service

...

.

Step 2: Create the new keystore/keypair.

...


Info
iconfalse
keytool -keystore "path_to\keystore_name.jks" -genkeypair -keyalg RSA -keysize 2048 -validity #of days -dname "cn=domain name, ou=yourOrgUnit , o=yourOrgOrCompany, l=City/locality, st=State

...

Code Block
$JAVAHOME\bin>keytool -keystore "<path to>\<keystore_name>.jks" -genkeypair -keyalg RSA -keysize 2048 -validity <#of days> -dname "cn=<domain name>, ou=<yourOrgUnit> , o=<yourOrgOrCompany>, l=<City/locality>, st=<State
/Canton/Province/
Land>
Land,
c=
<Country
Country_ISO3166-
digraph>
digraph"
-alias
"
<domain name>"
domain name"
DNInformationDescriptionExample

ValidityNumber of days how long keystore is valid.365
CNCommon NameThis is fully qualified domain name that you wish to secure example.com
oOrganization NameUsually the legal name of a company or entity and should include any suffixes such as Ltd., Inc., or Corp. Example Inc
OUOrganizational UnitInternal organization department/division name IT
lLocalityTown, city, village, etc. name Helsinki
stStateProvince, region, county or stateNorth Karelia
cCountryThe two-letter ISO code for the country where your organization is located FI


(Optional - if "subject alternative name (SAN)" needs to be used):

...


Expand
Info
iconfalse
keytool

...

-keystore "

...

path_to\keystore_name.jks"

...

-ext san=dns:Name1,dns:Name2 -genkeypair -keyalg RSA -keysize 2048 -validity

...

#of days -dname "cn=

...

domain name,

...

ou=

...

yourOrgUnit , o=

...

yourOrgOrCompany, l=

...

City/

...

locality, st=

...

State/Canton/Province/

...

Land, c=

...

Country_ISO3166-

...

digraph" -alias "

...

domain name"


Step 3: Create a new CSR, Certificate Signing Request, for your new keystore/keypair.

...

Info
iconfalse
keytool

...

-keystore "

...

path_to\keystore_name.jks" -certreq -alias

...

domain_name -file "

...

path_to\filename.csr"

(Optional - if "subject alternative name (SAN)" needs to be used):

...


Expand
Info
iconfalse
keytool

...

-keystore "

...

path_to\keystore_name.jks"

...

-ext san=dns:Name1,dns:Name2

...

-certreq -alias

...

domain_name -file "

...

path_to\filename.csr"


Step 4: Send the CSR to a CA (Certificate Authority) to create the new certificate, this can be either an internal CA if one is available or a trusted third party CA.


Step 5: Import the Root CA cert, then the Intermediate CA cert.

...

Info
iconfalse
keytool

...

-keystore "

...

path_to\keystore_name.jks" -importcert -alias rootCA -file "

...

path_to\root.cer"

...

Info
iconfalse
keytool -keystore "

...

path_to\keystore_name.jks" -importcert -alias intCA -file "

...

path_to\int.cer"

Step 5:

...

Import CA-signed certificate and apply the same to the keypair.

...


Info
iconfalse
keytool -keystore path_to\keystore_name.jks -importcert -alias original_keypair_alias -file

...

path_

...

to\CAsigned.cer

Step 6:

...

Update the "keystoreFile" and "keystorePass" values in the server.xml file located under "C:\Program Files\Blancco\Blancco Management Console\apache-tomcat\conf" to reflect any changes associated with key/cert.

Info
iconfalse
keystoreFile="path_to\keystore_name.jks" keystorePass="keystore password"

Step 7:

...

Start the BMC service.



UI Tab
titlePFX
  1. Stop BMC Service
  2. Copy .pfx format certificate file to "\Blancco Management Console\apache-tomcat\conf" folder.
  3. Open server.xml file in text editor located \Blancco Management Console\apache-tomcat\conf and edit following details.
    1. keystoreFile="Certificate_name.pfx"
    2. keystorePass="PFX_certificate_Password"
    3. Add a new value keystoreType="PKCS12" after KeystorePass.
  4. Save the server.xml file.
  5. Start BMC Service.






Content by Label
showLabelsfalse
max5
spacesKB
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel = "management_console" and type = "page" and space = "KB"
labelsmanagement_console

...