Imperva Cyber Community

 View Only
  • 1.  Error - Installing MX SSL Certificate

    Posted 10-12-2022 03:35
    Hi team, I was following the next procedure to install MX certificate according to Imperva Documentation Portal  but with the selfsigned part I saw some mistakes:

    [root@V147110_DAM_OneBox bin]# openssl x509 -in cert.pem -out cert.der -outform der && openssl pkcs8 -topk8 -nocrypt -in key.key -out key.der -outform der
    Can't open input file key.key
    [root@V147110_DAM_OneBox bin]# impctl server stop
    [root@V147110_DAM_OneBox bin]# chmod +x importSSLKeys.sh
    [root@V147110_DAM_OneBox bin]# ./importSSLKeys.sh cert.der key.der
    Importing ...
    java.io.FileNotFoundException: key.der (No such file or directory)
    at java.io.FileInputStream.open0(Native Method)
    at java.io.FileInputStream.open(FileInputStream.java:195)
    at java.io.FileInputStream.<init>(FileInputStream.java:138)
    at java.io.FileInputStream.<init>(FileInputStream.java:93)
    at com.mprv.keytool.KeyImporter.readFromFile(KeyImporter.java:57)
    at com.mprv.keytool.KeyImporter.main(KeyImporter.java:29)
    Failed to import keys. reason:
    java.lang.RuntimeException: Failed to read from key from file: key.der
    at com.mprv.keytool.KeyImporter.readFromFile(KeyImporter.java:67)
    at com.mprv.keytool.KeyImporter.main(KeyImporter.java:29)


    Please, do you know which is the reason?. I followed step by step of guide.

    Thks
    Regards

    Andrew
    #DatabaseActivityMonitoring

    ------------------------------
    Andres Pazmiño
    Eng
    Grupo Microsistemas Jovicha S.A (GMS)
    Quito
    ------------------------------


  • 2.  RE: Error - Installing MX SSL Certificate

    Posted 10-12-2022 11:58
    [root@V147110_DAM_OneBox bin]# openssl x509 -in cert.pem -out cert.der -outform der && openssl pkcs8 -topk8 -nocrypt -in key.key -out key.der -outform der
    Can't open input file key.key

    Your step one itself failed as it was never able to open that key.key file to generate the der file.

    That would explain why your next steps fail too as it cannot find the key.der file since it was not generated in the above step
    [root@V147110_DAM_OneBox bin]# impctl server stop
    [root@V147110_DAM_OneBox bin]# chmod +x importSSLKeys.sh
    [root@V147110_DAM_OneBox bin]# ./importSSLKeys.sh cert.der key.der
    Importing ...
    java.io.FileNotFoundException: key.der (No such file or directory)


    ------------------------------
    Sarvesh Lad
    Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
    ------------------------------



  • 3.  RE: Error - Installing MX SSL Certificate

    Posted 10-12-2022 12:39

    Hello Andrew,

    Thank you for the post, as mentioned by Sarvesh, the CSR generation command itself is failed hence you cannot proceed further,
    1)Need to create CSR
    2)Create Key
    3)Then send it to CA for CA cert, once you have the signed certificate, then move the file to bin folder and restart the MX service.

    As reference i have pasted successful CSR and key generation output below,

    [root@MX tmp]# openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout key -out cert -config cert.conf -extensions 'v3_req'

    Generating a RSA private key

    ............................................................+++++

    .....+++++

    writing new private key to 'key'

    -----

    [root@mx tmp]# openssl genrsa -out key 2048 && openssl req -new -key key -out csr -config cert.conf

    Generating RSA private key, 2048 bit long modulus

    .......+++++

    ...+++++

    e is 65537 (0x10001)

    Note : Make sure you have created the cert.conf file
    second make sure you are under var/tmp folder, where the above file is created and then re-try again.



    ------------------------------
    Syed Noor Fazal
    Product Support Engineer
    ------------------------------



  • 4.  RE: Error - Installing MX SSL Certificate

    Posted 10-19-2022 11:48
    Thanks for your response Syed Noor, I added openssl genrsa -out key 2048 && openssl req -new -key key -out csr -config cert.conf under tmp.. But, result is the same when I follow next step, later of enter command line  to convert, it appears like this:
    [root@V145011_WAF_OneBox bin]# openssl x509 -in cert.pem -out cert.der -outform der && openssl pkcs8 -topk8 -nocrypt -in key.key -out key.der -outform der
    Error opening Certificate cert.pem
    140579566745264:error:02001002:system library:fopen:No such file or directory:bss_file.c:413:fopen('cert.pem','r')
    140579566745264:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:415:
    unable to load certificate




    ------------------------------
    Andres Pazmiño
    It security Engineer
    Grupo Microsistemas Jovicha S.A (GMS)
    Quito
    ------------------------------



  • 5.  RE: Error - Installing MX SSL Certificate

    Posted 10-19-2022 12:16
    Hi,

    You only need to run the below command for a selfsigned certificate:

    openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout key -out cert -config cert.conf -extensions 'v3_req' 


    And to cross check, are you attempting to use a self signed certificate (one generated on the MX itself) or one signed by a CA (where the CA gave you a cert and key file already).

    As per the linked KB from your first post, you don't run both commands. Depending on your use case, you choose one.

    1. For Self Signed:  Run the commands under steps 8.1 only.
    2. For a CA signed certificate, run the commands for step 8.2 only.


    Step 8.1 already generates a certificate in der format, so there is no need to run the steps for 8.2 afterwards.

    Step 8.2 is only used if you have a CA signed certificate (one issued by your certificate manager like one from Windows Server for example.) and even then you only run the commands from step 8.2 after you copy the two files over to MX.



    ------------------------------
    Sarvesh Lad
    Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
    ------------------------------



  • 6.  RE: Error - Installing MX SSL Certificate
    Best Answer

    Posted 10-19-2022 19:45
    Hi Sarvesh.. 
    I could resolve in the line of procedure replacing files cert.pem insted cert and key.key instead key in /server/bin  directory, next step:  openssl x509 -in cert.pem -out cert.der -outform der && openssl pkcs8 -topk8 -nocrypt -in key.key -out key.der -outform der  and not more errors.
    Thank for your help. 

    Best regards
    Andres


    ------------------------------
    Andres Pazmiño
    It security Engineer
    Grupo Microsistemas Jovicha S.A (GMS)
    Quito
    ------------------------------