(Optional) Use a Custom Server Certificate(Optional) Use a Custom Server Certificate
NetWitness also allows you to configure custom web server certificate to be used as NetWitness Server certificate. By default NetWitness Server uses a web server certificate generated by NetWitness for HTTPS connection. You can configure custom web server certificate even if PKI is not enabled.
Supported Keystore FormatsSupported Keystore Formats
You must select the format that meets your requirement. The following keystore formats are supported:
- For server certificate with its private key:
- pfx/pkcs/p12 (PKCS8/PKCS12 are the standards)
- jks (JKS standard)
Note: The .pfx, .p12 and .jks are containers that can contain one or more private keys and its corresponding chains or certificates.
(Optional) Create a Certificate Signing Request (CSR) and Certificate Store for a Server Certificate(Optional) Create a Certificate Signing Request (CSR) and Certificate Store for a Server Certificate
Note: The steps provided in this procedure allows you to create a CSR and Certificate Store for a Server Certificate.
If a server certificate is already created along with its private key, you can directly upload the certificate to the NetWitness Server. If the server certificate is not created, based on the CSR created, the CSR can be submitted to the Certificate Authority (CA) server to obtain a server certificate. Once the certificate is created, perform the following steps to package the private key and the signed certificate that must uploaded to the NetWitness Server to be used as a server certificate.
To create a CSR for a Server Certificate:
1. Change the directory to /root:
cd /root
2. Create a new directory:
mkdir nw_pki_server_cert
3. Change the directory to the newly created directory:
cd nw_pki_server_cert
4. Create a Private Key of 2048 Bits:
openssl genrsa -out nw_server_pki_private_key.key 2048
5. Create a CSR:
openssl req -new -sha256 -key nw_server_pki_private_key.key -out server_cert_request.csr
For example, if country: US, location: RT, and unit:
CN: ABCD (Hostname or IP Address of the Machine)
For multiple names, use values such as : CN=ABCD, CN=10.XX.XXX.XX
email: example@rsa.com
6. Check the CSR and Private Key match.
openssl req -noout -modulus -in server_cert_request.csr | openssl sha256
openssl rsa -noout -modulus -in nw_server_pki_private_key.key | openssl sha256
For example:
[root@ABCD open_ssl_test]# openssl rsa -noout -modulus -in server_private.key | openssl sha256
(stdin)= 88df3d1ea5b2f411712b96d2ed4a72f5
[root@ABCD open_ssl_test]# openssl req -noout -modulus -in server_cert_request.csr | openssl sha256
(stdin)= 88df3d1ea5b2f411712b96d2ed4a72f5
Note: You make a note of both stdin's.
7. Submit the CSR to the CA and get a signed Server Certificate.
8. Copy the certificate in PEM format to the new directory:
/root/nw_pki_server_cert/signed_certificate.pem
9. Check the certificate for the correct public key.
openssl x509 -noout -modulus -in certificate.pem | openssl sha256
For example :
[root@ABCD open_ssl_test]# mv test.pem certificate.pem
[root@ABCD open_ssl_test]# openssl x509 -noout -modulus -in certificate.pem | openssl sha256
(stdin)= 3e2f4bbd1f32ae097902afcc1893089e
[root@ABCD open_ssl_test]# openssl rsa -noout -modulus -in sa_server_pki_private_key.key | openssl sha256
(stdin)= 3e2f4bbd1f32ae097902afcc1893089e
[root@ABCD open_ssl_test]# openssl req -noout -modulus -in server_cert_request.csr | openssl sha256
(stdin)= 3e2f4bbd1f32ae097902afcc1893089e
10. Copy the Private Key and Certificate to a Key Store.
openssl pkcs12 -export -descert -name <myservercert> -in signed_certificate.pem -inkey nw_server_pki_private_key.key -out keystore.p12
11. Enter the keystore password, for example NetWitness@123, to the Keystore.
Import an NW Server Certificate with its Private KeyImport an NW Server Certificate with its Private Key
Note: .p12, .jks, and .pfx are the supported server certificate formats. Execute the following OpenSSL command to convert certificates to the supported format:
openssl pkcs12 -export -out cert.p12 -in cert.cer -inkey nw_server_pki_private_key.key
Only certificates that are configured with an export password can be uploaded to the NetWitness UI.
- Go to (Admin) > Security.
The Security view is displayed with the Users tab open. - Click the PKI Settings tab.
- In the Server Certificates section, click .
The Import Server Certificates dialog is displayed. - In the Keystore/Certificate File field, click Browse and select the keystore.
- In the Password field, enter the keystore password.
- In the Appliance To Use field, select the appliance for which you want to use this certificate.
- (Optional) Select the Overwrite Existing Entries checkbox to overwrite the entries of the certificate that is already added.
- Click Save.
The NetWitness Server certificate with its private key is successfully added to NetWitness.
Note: When the certificate is being applied on the selected appliance, no other operation on PKI can be performed until the process is completed.
Double-click on the added entries to view the details of the certificate.
- To apply the server certificate on a server, select a certificate and click .
Note: Uploading a keystore will add the server certificate and its private key locally. To apply a server certificate on a server, you need to select a server certificate and click the synchronization button .
All server certificates are also synchronized on the appliances when PKI is enabled.
Note: To complete the certificate update process, log into the Admin Server (node-0) stop and start the nginx with the command systemctl restart nginx.