There are two main reasons for wanting to change Web Reporter's SSL certificate.
- Security - Every installation of Web Reporter uses the same certificate by default. A skilled attacker could use this information to perform a man-in-the-middle attack to break the encryption. Any certificate other than the default will solve this problem.
- Warnings - The default certificate is self-signed using localhost for the common name, which means that no browser is going to trust this certificate without creating an exclusion. Installing a certificate that is trusted in your organization (perhaps one issued by your own certificate authority) can eliminate certificate warning messages when accessing the Web Reporter GUI.
This process requires you to
- Generate a new keystore file
- Export the certificate
- Copy the files to the appropriate directory
- Update the config file for the new keystore
- Restart the service.
Generate a new Keystore file
Open a command prompt and cd to <install_dir>\jre1.6\bin.
Run the command below to generate your new keystore file which contains a new private key and SSL certificate. You will be prompted for the certificate information such as the Organizational Unit and City. When prompted for "What is your first and last name?" enter the hostname of the web reporter server that you use to access the GUI. If these don't match, you will get a common name mis-match warning from the browser and Java when loading the GUI.
keytool -genkey -alias webreporter -keyalg RSA -keystore mwr.keystore -keysize 2048 -validity 7300
C:\Program Files\McAfee\Web Reporter (64-bit)\jre1.6\bin>keytool -genkey -alias webreporter -keyalg RSA -keystore mwr.keystore -keysize 2048 -validity 7300
Enter keystore password: P455word
Re-enter new password: P455word
What is your first and last name?
What is the name of your organizational unit?
[Unknown]: Technical Support
What is the name of your organization?
What is the name of your City or Locality?
[Unknown]: Saint Paul
What is the name of your State or Province?
What is the two-letter country code for this unit?
Is CN=shibuya.yamanote.jr.local, OU=Technical Support, O=McAfee, L=Saint Paul, ST=Minnesota, C=US correct?
Enter key password for <webreporter>
(RETURN if same as keystore password):
Export the certificate from the keystore file using this command.
keytool -export -keystore mwr.keystore -alias webreporter -file wrhost.company.com.crt
C:\Program Files\McAfee\Web Reporter (64-bit)\jre1.6\bin>keytool -export -keystore mwr.keystore -alias webreporter -file shibuya.yamanote.jr.local.crt
Enter keystore password: P444word
Certificate stored in file <shibuya.yamanote.jr.local.crt>
Copy the mwr.keystore and crt file you just exported to the configuration directory below.
C:\Program Files\Web Reporter (64-bit)\reporter\jboss\server\default\conf\mwr.keystore
C:\Program files\Web Reporter (64-bit)\reporter\jboss\server\default\conf\shibuya.yamanote.jr.local.crt
Edit the configuration file to use the new keystore.
Make a backup copy of <install directory>\reporter\jboss\server\default\deploy\jboss-web.deployer\server.xml incase you make a mistake while editing it. Then open the original file in any text editor. Set the keystoreFile and keystorePass to match.
Restart the Web Reporter Server service