8 Replies Latest reply: Apr 28, 2014 10:55 AM by spinal RSS

    MWG 7.3 User Interface Certificate Import Problem

    nick.olson

      Good Morning,

       

      For the past week or so I've been trying to get the User Interface Certificate import to work on MWG 7.3  (Not for SSL scanner, but so we stop getting prompted for bad cert whenever we log into the user interface)

       

      I've generated a new private key and CSR in OpenSSL then took the CSR to our Internal CA (a MS AD Certificate Services Server).

      Something like "openssl req -nodes -newkey rsa:2048 -keyout mwg.key -out mwg.csr"

       

      I Downloaded the cert and cert chain in Base64 from the CA.

       

      I then try to import the cert at Configuration -> User Interface -> User Interface Certificate.

      I clicked Import and browsed to the Cert and Private Key

       

      Clicked OK and I get the error "Error importing certificate: No Certificate or Private Key Found"

       

       

      I've tried several times generating new certs and trying to get them to import but without any luck getting it to import.

      I have even tried installing the cert directly from the CA to IE then exporting it.

      Also tried generating a self signed cert and having the CA sign it and reimport it but that also didnt work.

       

       

      There has to be something silly that I am missing.  Any ideas?

       

      Any help would be greatly appreciated.

       

      Thanks!

        • 1. Re: MWG 7.3 User Interface Certificate Import Problem
          jont717

          I don't think you are missing anything.  I am having the exact same problem.

           

          I am going to call McAfee and see what the issue is.  Has to be something with the changes on 7.3. 

          • 2. Re: MWG 7.3 User Interface Certificate Import Problem
            nick.olson

            I got it working!

             

             

            This is how I did it.

             

            I created a new key first using the following command: (this will prompt you to create a password, which i gave it)

             

            >openssl genrsa -des3 -out "C:\MWG.key" 2048

            Loading 'screen' into random state - done

            Generating RSA private key, 2048 bit long modulus

            ................................................................................

            ..........................................+++

            .........................................................+++

            e is 65537 (0x10001)

            Enter pass phrase for C:\MWG.key:

            Verifying - Enter pass phrase for C:\MWG.key:

            >

             

             

            Using this new key, I generated a new CSR using the following command:

             

            >openssl req -new -key "C:\MWG.key" -out "C:\MWG.csr"

            Enter pass phrase for C:\MWG.key:

            Loading 'screen' into random state - done

            You are about to be asked to enter information that will be incorporated

            into your certificate request.

            What you are about to enter is what is called a Distinguished Name or a DN.

            There are quite a few fields but you can leave some blank

            For some fields there will be a default value,

            If you enter '.', the field will be left blank.

            -----

            Country Name (2 letter code) [AU]:OMIT

            State or Province Name (full name) [Some-State]:OMIT

            Locality Name (eg, city) []:OMIT

            Organization Name (eg, company) [Internet Widgits Pty Ltd]:OMIT

            Organizational Unit Name (eg, section) []:OMIT

            Common Name (e.g. server FQDN or YOUR name) []:OMIT

            Email Address []: (LEFT BLANK)

             

             

            Please enter the following 'extra' attributes

            to be sent with your certificate request

            A challenge password []: (LEFT BLANK)

            An optional company name []: (LEFT BLANK)

            >

             

             

            I took this CSR up to our internal CA and downloaded the cert and certchain in Base64 format (Not DER)

             

            Finally I put the new cert, private key and password into the MWG user interface certificate import window.

              ....and it worked..  After I saved changes, MWG asked me to Log out, which i did....

            Restarted IE9 and the Cert Error is gone!

             

             

            My best guess is why this worked is how the private keys were being formatted.

               

            The original private keys I was getting when requesting CSR at the same time were showing up like this:

             

             

            -----BEGIN PRIVATE KEY-----

            8oomlFfFoCR0sqPuFKc9hQfa9Sf+tSAJjNE75RjtRX2tOpwx

            uhnny6rZC5hKF6dZ

            /Jln4M/NFqxtUCVyg5/dIUd3ZNVh+zwK

            ljBPAZiFevoE00kimulwQz3T/LySMOgP

            F5sQpYXXAgMBAAEC

            gEAHhU7TXXJdiskcxLzvLCMRUB1RDZ+tvHGEJoNZMuUaEC+#

            #########<OMITTED>###########################

            -----END PRIVATE KEY-----

             

             

            However, the key I generated in the way I showed up above gives you a format like this:

             

             

            -----BEGIN RSA PRIVATE KEY-----

            Proc-Type: 4,ENCRYPTED

            DEK-Info: DES-EDE3-CBC,#####

             

            #########<OMITTED>#############################

            LgVqLKnTsFvuQaf80oFymvuzsCG54xp/m/C5kcim

            vKBXIyJHRx62Op04aetILSFt

            PmafEb0UnR2WNARhl6WKMm#

            #########<OMITTED>#############################

            vrTv4jLbtvYoQtiELr9JXGb0lZwvkK7JyXOIbs7vctQW1Op

            j1YFCNUAv+

            vYXkjr0pVRvz8mtRbmZyhpMf6HA6ogjz07/St

            #########<OMITTED>#############################

            -----END RSA PRIVATE KEY-----

             

             

            The MWG may be looking for the RSA and RSA info in the private key file.

             

             

             

            Hope that works for you!

            • 3. Re: MWG 7.3 User Interface Certificate Import Problem
              jont717

              I have a case open and they are leading to the same issue.  My key file is just as yours.  It does not have RSA at the top or bottom. 

               

              I am trying to convert it. 

              • 4. Re: MWG 7.3 User Interface Certificate Import Problem
                jont717

                I got my private key to work.

                 

                Used the command:

                 

                openssl rsa -in File.key -out File.pem

                 

                then:

                 

                openssl rsa -in File.pem -des3 -out FileNew.pem  <---this allowed me to set a password

                 

                Sweet!

                • 5. Re: MWG 7.3 User Interface Certificate Import Problem
                  nick.olson

                  Glad to hear it worked!

                  • 6. Re: MWG 7.3 User Interface Certificate Import Problem
                    spinal

                    I'm having the same problem... when I follow the OPs directions, I can import the cert/private key/password and chain without an issue. When I then go to save the changes, it asks me if I want to save and log out, which I confirm.

                     

                    I then get an error:

                     

                    Save changes failed.

                    SYSCONF: There were 1 errors while generating configuration files: nested asn1 error

                    (/usr/lib/ruby/1.8/mwg-config/configs/konfiguratorcfg.rb:151:in 'initialise')

                     

                    Any ideas?

                     

                    Certs are signed on a microsoft CA, with Web Server templates...

                    • 7. Re: MWG 7.3 User Interface Certificate Import Problem
                      sroering

                      Make sure the certificate file is PEM encoded.  It should begine/end with these tags.

                      -----BEGIN CERTIFICATE-----

                      -----END CERTIFICATE-----

                       

                      Make sure the private key is in a PEM encoded RSA encrypted format.  it should begin and end with these tags.

                      -----BEGIN RSA PRIVATE KEY-----

                      -----END RSA PRIVATE KEY-----

                       

                      And make sure the chain file is PEM encoded and if there is more than one CA in the heirarchy, make sure it is in the correct order with the root CA on the bottom.

                      -----BEGIN CERTIFICATE-----

                      XXXXXX sub-ca cert here

                      -----END CERTIFICATE-----

                      -----BEGIN CERTIFICATE-----

                      XXXXXX root CA cert here

                      -----END CERTIFICATE-----

                       

                      If your files are not PEM encoded (binary), such as a pfx/p12 file, then you will need to convert them using the appropriate openssl command. If you need some help, let us know the current encoding of the file(s).

                      • 8. Re: MWG 7.3 User Interface Certificate Import Problem
                        spinal

                        Thanks - got it sorted! Turns out, that the certificate chain has a mix of PFX and DER files. Sorted by importing everything into the mmc console and re-exporting it all.