Using External Certificates with Live Assist

CBA Support

Introduction

This article is intended as a guide for applying certificates generated outside of the usual CBA process, e.g. a CSR generated by FAS. In this example, we will import an existing wild card security certificate (such as *.cafex.com) into a FAS server in the DNS domain.

WARNING - This procedure has the potential to be destructive, while we will take a backup of the system below we also recommend a server state backup is made before attempting.

Pre-requites

It is assumed you have:

  • A directory on the server (mkdir /opt/certs/) with the 3 files listed below.
  • Wildcard certificate for *.yourdomain.com, e.g wildcard-server.crt. It is advised that this cert includes the bundle cert also. See Creating all.crt to include bundle certificates with server certificate for more details.
  • The Webserver private key, e.g websvr.key.
  • importKeyPair.sh script attached to this article.

Please ensure that the certificate and key files are in Unix format. If they are in Dos format (denoted by [DOS] at the bottom of the screen if you open the file in 'vi editor'), then it would give errors when you try to import it.

You can convert a file from DOS format to Unix format by using the 'dos2unix' command.

If the 'dos2unix' command is not available, you can do the following:

  1. Open the file in 'vi editor'
  2. In Escape mode, set the following    : set fileformat=unix
  3. Save and close the file

Instructions

Once you have these files in place on the server (use /opt/certs/) follow the below.

Step 1.Stop FAS and backup the existing install directory

Backup existing installation:

  • Stop FAS service fas stop
  • cp -Rp /opt/cafex/FAS-<version> /opt/cafex/FAS-<date>-<version>
  • Start FAS: service fas start

Step 2. Remove the existing keypairs for https on the main-loadbalancer-group and the mgmt-server-group.

Navigate to the AS server admin console:

https://<your-server>:9990/console/ --> Profiles --> Management --> Trust Management --> ID Certificates --> main-loadbalancer-group --> https --> remove

Then repeat for the mgmt-server-group.

https://<your-server>:9990/console/ --> Profiles --> Management --> Trust Management --> ID Certificates --> mgmt-server-group --> https --> remove

 

NOTE - DO NOT RESTART FAS OR YOUR SERVER AT THIS POINT AS IT WILL HAVE NO HTTPS CERTIFICATES TO SERVE WEB PAGES.

Step 3. Create new https keypairs on the main-loadbalancer-group and the mgmt-server-group using the wildcard cert and webserver key.

NOTE ** REMEBER to use the actual name of your certificates & passwords, do not copy & paste commands from below: 

  1. Copy the importKeyPair.sh script attached to /opt/certs & run the following commands
  2. Ensure your .crt and .key files are in the same folder as importKeyPair.sh, or that the path to these files is accurate.
  3. chmod +x /opt/certs/importKeyPair.sh 
  4. Create the main-loadbalancer-group https by following Step 5 below:
  5. ./importKeyPair.sh -g main-loadbalancer-group -n https -p changeit -k websvr.key -c wildcard-server.crt -u administrator -a administrator (should return success response)
  6. Create the mgmt-server-group https by following Step 7 below:
  7. ./importKeyPair.sh -g mgmt-server-group -n https -p changeit -k websvr.key -c wildcard-server.crt -u administrator -a administrator (should return success response)
  8.  now restart FAS: service fas restart

Procedure complete, if you received an error message instead of a success please follow the restore procedure below.

Note browsers needed to be restarted to pick up the new cert.

Restore procedure

  1. Stop FAS: service fas stop
  2. Move old FAS directory: mv /opt/cafex/FAS-<version> /opt/cafex/FAS-failed-cert
  3. Rename backup: mv /opt/cafex/FAS-<date> /opt/cafex/FAS-<Version> (you can get version from cat /etc/fas.conf)
  4. Start FAS: service fas start.

Common Problems, Issues & Error Messages

  • "Failed to import key pair: JBAS014746: public-cert-encoded may not be null"
    • Please ensure that the .crt and .key files are located in the same folder as importKeyPair.sh or that the path to these files is accurate.
  • "JBAS014803: Duplicate resource"
    • This error is due to the .crt you are attempting to import already existing within the FAS certificate store, please remove the previous certificate before applying.

 

 

importKeyPair.sh