cancel
Showing results for 
Search instead for 
Did you mean: 
nick.olson
Level 9

MWG 7.3 User Interface Certificate Import Problem

Jump to solution

Good Morning,

For the past week or so I've been trying to get the User Interface Certificate import to work on MWG 7.3  (Not for SSL scanner, but so we stop getting prompted for bad cert whenever we log into the user interface)

I've generated a new private key and CSR in OpenSSL then took the CSR to our Internal CA (a MS AD Certificate Services Server).

Something like "openssl req -nodes -newkey rsa:2048 -keyout mwg.key -out mwg.csr"

I Downloaded the cert and cert chain in Base64 from the CA.

I then try to import the cert at Configuration -> User Interface -> User Interface Certificate.

I clicked Import and browsed to the Cert and Private Key

Clicked OK and I get the error "Error importing certificate: No Certificate or Private Key Found"

I've tried several times generating new certs and trying to get them to import but without any luck getting it to import.

I have even tried installing the cert directly from the CA to IE then exporting it.

Also tried generating a self signed cert and having the CA sign it and reimport it but that also didnt work.

There has to be something silly that I am missing.  Any ideas?

Any help would be greatly appreciated.

Thanks!

1 Solution

Accepted Solutions
nick.olson
Level 9

Re: MWG 7.3 User Interface Certificate Import Problem

Jump to solution

I got it working!

This is how I did it.

I created a new key first using the following command: (this will prompt you to create a password, which i gave it)

>openssl genrsa -des3 -out "C:\MWG.key" 2048

Loading 'screen' into random state - done

Generating RSA private key, 2048 bit long modulus

................................................................................

..........................................+++

.........................................................+++

e is 65537 (0x10001)

Enter pass phrase for C:\MWG.key:

Verifying - Enter pass phrase for C:\MWG.key:

>

Using this new key, I generated a new CSR using the following command:

>openssl req -new -key "C:\MWG.key" -out "C:\MWG.csr"

Enter pass phrase for C:\MWG.key:

Loading 'screen' into random state - done

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]Smiley SurprisedMIT

State or Province Name (full name) [Some-State]Smiley SurprisedMIT

Locality Name (eg, city) []Smiley SurprisedMIT

Organization Name (eg, company) [Internet Widgits Pty Ltd]Smiley SurprisedMIT

Organizational Unit Name (eg, section) []Smiley SurprisedMIT

Common Name (e.g. server FQDN or YOUR name) []Smiley SurprisedMIT

Email Address []: (LEFT BLANK)

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: (LEFT BLANK)

An optional company name []: (LEFT BLANK)

>

I took this CSR up to our internal CA and downloaded the cert and certchain in Base64 format (Not DER)

Finally I put the new cert, private key and password into the MWG user interface certificate import window.

  ....and it worked..  After I saved changes, MWG asked me to Log out, which i did....

Restarted IE9 and the Cert Error is gone!

 

My best guess is why this worked is how the private keys were being formatted.

   

The original private keys I was getting when requesting CSR at the same time were showing up like this:

-----BEGIN PRIVATE KEY-----

8oomlFfFoCR0sqPuFKc9hQfa9Sf+tSAJjNE75RjtRX2tOpwx

uhnny6rZC5hKF6dZ

/Jln4M/NFqxtUCVyg5/dIUd3ZNVh+zwK

ljBPAZiFevoE00kimulwQz3T/LySMOgP

F5sQpYXXAgMBAAEC

gEAHhU7TXXJdiskcxLzvLCMRUB1RDZ+tvHGEJoNZMuUaEC+#

#########<OMITTED>###########################

-----END PRIVATE KEY-----

 

However, the key I generated in the way I showed up above gives you a format like this:

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,#####

 

#########<OMITTED>#############################

LgVqLKnTsFvuQaf80oFymvuzsCG54xp/m/C5kcim

vKBXIyJHRx62Op04aetILSFt

PmafEb0UnR2WNARhl6WKMm#

#########<OMITTED>#############################

vrTv4jLbtvYoQtiELr9JXGb0lZwvkK7JyXOIbs7vctQW1Op

j1YFCNUAv+

vYXkjr0pVRvz8mtRbmZyhpMf6HA6ogjz07/St

#########<OMITTED>#############################

-----END RSA PRIVATE KEY-----

The MWG may be looking for the RSA and RSA info in the private key file.

Hope that works for you!

8 Replies
jont717
Level 12

Re: MWG 7.3 User Interface Certificate Import Problem

Jump to solution

I don't think you are missing anything.  I am having the exact same problem.

I am going to call McAfee and see what the issue is.  Has to be something with the changes on 7.3. 

0 Kudos
nick.olson
Level 9

Re: MWG 7.3 User Interface Certificate Import Problem

Jump to solution

I got it working!

This is how I did it.

I created a new key first using the following command: (this will prompt you to create a password, which i gave it)

>openssl genrsa -des3 -out "C:\MWG.key" 2048

Loading 'screen' into random state - done

Generating RSA private key, 2048 bit long modulus

................................................................................

..........................................+++

.........................................................+++

e is 65537 (0x10001)

Enter pass phrase for C:\MWG.key:

Verifying - Enter pass phrase for C:\MWG.key:

>

Using this new key, I generated a new CSR using the following command:

>openssl req -new -key "C:\MWG.key" -out "C:\MWG.csr"

Enter pass phrase for C:\MWG.key:

Loading 'screen' into random state - done

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]Smiley SurprisedMIT

State or Province Name (full name) [Some-State]Smiley SurprisedMIT

Locality Name (eg, city) []Smiley SurprisedMIT

Organization Name (eg, company) [Internet Widgits Pty Ltd]Smiley SurprisedMIT

Organizational Unit Name (eg, section) []Smiley SurprisedMIT

Common Name (e.g. server FQDN or YOUR name) []Smiley SurprisedMIT

Email Address []: (LEFT BLANK)

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: (LEFT BLANK)

An optional company name []: (LEFT BLANK)

>

I took this CSR up to our internal CA and downloaded the cert and certchain in Base64 format (Not DER)

Finally I put the new cert, private key and password into the MWG user interface certificate import window.

  ....and it worked..  After I saved changes, MWG asked me to Log out, which i did....

Restarted IE9 and the Cert Error is gone!

 

My best guess is why this worked is how the private keys were being formatted.

   

The original private keys I was getting when requesting CSR at the same time were showing up like this:

-----BEGIN PRIVATE KEY-----

8oomlFfFoCR0sqPuFKc9hQfa9Sf+tSAJjNE75RjtRX2tOpwx

uhnny6rZC5hKF6dZ

/Jln4M/NFqxtUCVyg5/dIUd3ZNVh+zwK

ljBPAZiFevoE00kimulwQz3T/LySMOgP

F5sQpYXXAgMBAAEC

gEAHhU7TXXJdiskcxLzvLCMRUB1RDZ+tvHGEJoNZMuUaEC+#

#########<OMITTED>###########################

-----END PRIVATE KEY-----

 

However, the key I generated in the way I showed up above gives you a format like this:

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,#####

 

#########<OMITTED>#############################

LgVqLKnTsFvuQaf80oFymvuzsCG54xp/m/C5kcim

vKBXIyJHRx62Op04aetILSFt

PmafEb0UnR2WNARhl6WKMm#

#########<OMITTED>#############################

vrTv4jLbtvYoQtiELr9JXGb0lZwvkK7JyXOIbs7vctQW1Op

j1YFCNUAv+

vYXkjr0pVRvz8mtRbmZyhpMf6HA6ogjz07/St

#########<OMITTED>#############################

-----END RSA PRIVATE KEY-----

The MWG may be looking for the RSA and RSA info in the private key file.

Hope that works for you!

jont717
Level 12

Re: MWG 7.3 User Interface Certificate Import Problem

Jump to solution

I have a case open and they are leading to the same issue.  My key file is just as yours.  It does not have RSA at the top or bottom. 

I am trying to convert it. 

0 Kudos
jont717
Level 12

Re: MWG 7.3 User Interface Certificate Import Problem

Jump to solution

I got my private key to work.

Used the command:

openssl rsa -in File.key -out File.pem

then:

openssl rsa -in File.pem -des3 -out FileNew.pem  <---this allowed me to set a password

Sweet!

nick.olson
Level 9

Re: MWG 7.3 User Interface Certificate Import Problem

Jump to solution

Glad to hear it worked!

0 Kudos
spinal
Level 7

Re: MWG 7.3 User Interface Certificate Import Problem

Jump to solution

I'm having the same problem... when I follow the OPs directions, I can import the cert/private key/password and chain without an issue. When I then go to save the changes, it asks me if I want to save and log out, which I confirm.

I then get an error:

Save changes failed.

SYSCONF: There were 1 errors while generating configuration files: nested asn1 error

(/usr/lib/ruby/1.8/mwg-config/configs/konfiguratorcfg.rb:151:in 'initialise')

Any ideas?

Certs are signed on a microsoft CA, with Web Server templates...

0 Kudos
sroering
Level 13

Re: MWG 7.3 User Interface Certificate Import Problem

Jump to solution

Make sure the certificate file is PEM encoded.  It should begine/end with these tags.

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

Make sure the private key is in a PEM encoded RSA encrypted format.  it should begin and end with these tags.

-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----

And make sure the chain file is PEM encoded and if there is more than one CA in the heirarchy, make sure it is in the correct order with the root CA on the bottom.

-----BEGIN CERTIFICATE-----

XXXXXX sub-ca cert here

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

XXXXXX root CA cert here

-----END CERTIFICATE-----

If your files are not PEM encoded (binary), such as a pfx/p12 file, then you will need to convert them using the appropriate openssl command. If you need some help, let us know the current encoding of the file(s).

0 Kudos
spinal
Level 7

Re: MWG 7.3 User Interface Certificate Import Problem

Jump to solution

Thanks - got it sorted! Turns out, that the certificate chain has a mix of PFX and DER files. Sorted by importing everything into the mmc console and re-exporting it all.

0 Kudos