Generating and importing a CA-signed SSL certificate for Multi-Server Administration

This topic describes how to generate and import a CA-signed SSL certificate for Multi-Server Administration that is hosted on Windows.

Do the following:

  1. Stop the TrueSight Network Automation – Multi-Server Administration Web Server service.
  2. Navigate to the MSA_HOME\java\bin directory and run the following command to view the keystore with the default self-signed certificate:

    keytool.exe -list -v -keystore "C:\Program Files\BMC Software\BCA-Networks-MSA\data\.keystore"

  3. When prompted for the password, enter the keystore password that you entered during the  Multi-Server Administration installation.
    After you enter the password, the following sample messages are displayed:

    Keystore type: PKCS12
    Keystore provider: SUN

    Your keystore contains 1 entry

    Alias name: tomcat
    Creation date: May 1, 2020
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=vx-1200, OU=MSA, O=BMC, L=McLean, ST=VA, C=US
    Issuer: CN=vx-1200, OU=Your Organization Unit, O=Your Organization Name,
    L=Your Locality, ST=Your State, C=US
    Serial number: 1491666
    Valid from: Fri May 01 12:25:49 IST 2020 until: Sun Apr 07 12:25:49 IST 2120
    Certificate fingerprints:
             SHA1: CF:F4:1F:18:AF:72:6F:C6:E1:8C:08:6D:6D:83:57:7A:A2:13:8C:7B
             SHA256: 72:9F:A6:66:07:69:C3:B9:37:D7:F3:06:69:91:5D:85:97:67:32:5A:8C:
    57:9C:39:65:09:7F:19:57:1F:01:D1
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 4096-bit RSA key
    Version: 3

    Notice that there is only one alias tomcat, which has the entry type of PrivateKeyEntry.

  4. Run the following command to generate a certificate signing request (CSR) file, for example, MSA.csr, by using the self-signed certificate:
    keytool.exe -certreq -keystore "C:\Program Files\BMC Software\BCA-Networks-MSA\data\.keystore" -alias tomcat -file "C:\Program Files\BMC Software\BCA-Networks-MSA\data\MSA.csr"
  5. When prompted for the password, enter the keystore password that you entered during the  Multi-Server Administration installation.
    After you enter the password, MSA.csr is generated in the C:\Program Files\BMC Software\BCA-Networks-MSA\data directory.
  6. Submit the MSA.csr file to the certification authority (CA) and get the application server certificate.
  7. Obtain the root certificate, and optionally intermediate certificates from the CA if required.
  8. Copy the application server, root, and intermediate certificates to the MSA_DATA directory.

  9. Import the root CA certificate,:

    1. Run the following command:
      keytool.exe -importcert -keystore "C:\Program Files\BMC Software\BCA-Networks-MSA\data\.keystore" -alias root -file "C:\Program Files\BMC Software\BCA-Networks-MSA\data\CA-root.cer"
    2. When prompted for the password, enter the password you entered during the Multi-Server Administration installation.

      The following sample messages are displayed, when you run the preceding command:

    Owner: CN=ca-host-name, OU=MSA, O=BMC, L=McLean, ST=VA, C=US
    Issuer: CN=ca-host-name
    Serial number: 2f245324d2723a964f3c1bafcada2bd4
    Valid from: Wed Sep 16 11:01:01 IST 2020 until: Thu Sep 16 11:11:01 IST 2021
    Certificate fingerprints:
             SHA1: A6:9D:77:7B:5B:AB:95:95:BE:49:E8:FE:A1:84:46:78:08:15:63:0D
             SHA256: 5E:9A:A8:20:73:C2:0C:52:88:D4:61:32:7A:73:FD:86:22:ED:DD:5A:87:AE:A9:C9:13:A9:AE:D0:91:9C:DB:6B1
    Signature algorithm name: SHA1withRSA
    Subject Public Key Algorithm: 4096-bit RSA key
    Version: 3

    Trust this certificate? [no]:  yes
    Certificate was added to keystore
  10. (Optional) Run the following command to import intermediate CA certificates:

    keytool.exe -importcert -keystore "C:\Program Files\BMC Software\BCA-Networks-MSA\data\.keystore" -alias intermediate -file "C:\Program Files\BMC Software\BCA-Networks-MSA\CA-intermediate.cer"

  11. Run the following command to import the application server certificate:

    keytool.exe -importcert -keystore "C:\Program Files\BMC Software\BCA-Networks-MSA\data\.keystore" -alias tomcat -file "C:\Program Files\BMC Software\BCA-Networks-MSA\MSA-Certificate.cer 
  12. When prompted for the password, enter the keystore password that you entered during the  Multi-Server Administration installation.

  13. Once you enter the password, the following sample messages is displayed:

    Certificate reply was installed in keystore
  14. Run the following command to view the root and application server certificates in the keystore:

    keytool.exe -list -v -keystore "C:\Program Files\BMC Software\BCA-Networks-MSA\data\.keystore"

  15. When prompted for the password, enter the keystore password that you entered during the  Multi-Server Administration installation

    Once you enter the password, the following sample messages are displayed:

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 2 entries

    Alias name: root
    Creation date: Sep 16, 2020
    Entry type: trustedCertEntry

    Owner: CN=ca-host-name, OU=MSA, O=BMC, L=McLean, ST=VA, C=US
    Issuer: CN=ca-host-name
    Serial number: 19x00t00001760efffd551435a1b0002000000v17
    Valid from: Wed Sep 16 11:01:01 IST 2020 until: Thu Sep 16 11:11:01 IST 2021
    Certificate fingerprints:
             SHA1: 39:44:3B:CF:B4:9E:FE:98:9D:92:DD:BE:2B:AC:2D:5A:39:4E:9E:7A
             SHA256: 07:00:4B:E0:82:26:4C:12:9F:02:CF:0D:D7:D6:EE:A8:F5:72:E4:25:D7:BE:6C:0F:17:6D:50:80:C1:10:ED:E1
    Signature algorithm name: SHA1withRSA
    Subject Public Key Algorithm: 4096-bit RSA key
    Version: 3

    *******************************************

    Alias name: tomcat
    Creation date: Sep 9, 2020
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=ca-host-name, OU=MSA, O=BMC, L=McLean, ST=VA, C=US
    Issuer: CN=ca-host-name, OU=MSA, O=BMC, L=McLean, ST=VA, C=US
    Serial number: 669671ef
    Valid from: Wed Sep 09 21:18:15 IST 2020 until: Fri Aug 16 21:18:15 IST 2120
    Certificate fingerprints:
             SHA1: 4C:D3:34:2B:D9:0D:F5:62:72:84:7B:0B:5A:CC:F8:37:08:0C:C2:04
             SHA256: 89:50:2F:CF:8B:73:6E:6E:13:FD:20:59:91:60:5F:E3:E8:32:31:67:75:36:94:14:A4:72:F4:AB:EF:DD:72:16
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 4096-bit RSA key
    Version: 3

    Notice that there are two aliases, root and tomcat. The root alias is a self-signed trustedCertEntry with only one certificate. However, the tomcat alias is still a PrivateKeyEntry. Now tomcat has two certificates:

    • One for itself: Owner: CN=ca-host-name, OU=MSA, O=BMC, L=McLean, ST=VA, C=US
    • One for its root: Owner: CN=ca-host-name
  16. Start the TrueSight Network Automation – Multi-Server Administration Web Server service.

Back to top

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*