Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Enforce Server Console SSL Certificate Issued to "Localhost"

Created: 26 Mar 2013 • Updated: 26 Mar 2013 | 9 comments
This issue has been solved. See solution.

I saved the sertificate and inported into an Active Directory GPO to be trusted so it would not need to be manually imported into each browser.  When I tested it, it didn't work and I noticed it was because the name on it is "localhost" instead of the server name. 

How can I get this certificate changed to a valid server name?

Operating Systems:

Comments 9 CommentsJump to latest comment

stumunro's picture

not to sound silly but will everyone be using the local host console? or will they be using the endpoint and access it thru a web browser https://enforce? what you are asking for i dont now believe is possible with a SAN cert..

 

 

John_Gruhn's picture

What you are looking for is described in the install guide starting on page 96 (windows) or 94 (linux). Im assuming that you have the 11.6 guides. The topis to look for is "About server security and SSL/.TLS certificates". The summary of that is that you use keytool to create a new .keystore file which you then put into Vontu\Protect\tomcat\conf and restart the Vontu Manager service on Enforce. Once you have that cert put into enforce then reexport it and import into your GPO.

 

NetUser's picture

 

ssldlp.JPG

I had already created custom certs with the tool provided with DLP and copied the custom cert to each monitor server.

The certificate I'm talking about is the SSL cert used by the web browser.

Because it is labeled as "localhost" it cannot be a trusted ssl cert when using the browser from another workstation since you cannot use "localhost" as the server name from a remote computer.

I would need some way to get change the SSL cert to one that uses the real host name instead of localhost.

John_Gruhn's picture

The directions I mentioned in my pervious post are for the Enforce browser certificate. If you change the common name in the cert to the name of the server instead of localhost then by following those directions it does what you need.

pete_4u2002's picture

well, when you try to access the console from remote machine this will still work. Instead of localhost you need to provide the IP address or HOSTNAME,

stumunro's picture

Certs resolve to a name not IP address, this is why i asked the question earlier does it work if he uses a remote machine... 

 

NetUser's picture

I can reach the web page from a remote host by typing the host name.  I know that I cannot use the host name of localhost from a remote computer and I am not trying to do that.

The issue is that the SSL certificate is labled as localhost as the picture I posted shows, so I get SSL cert warnings when I go to the Enforce login page that I have to click through before logging in.  

I would like to find out how to change the certifcate so it is enforce server host name instead of :"localhost" so the certficate name will match the url I use to access the page.

I cannot use IP address if I want to load the enforce page without SSL warnings.  It must be the dns host name and it much match what the certificate says.

I want load the page as https://enforceserver and have the certificate be trusted with no warnings in the browser.

pete_4u2002's picture

I believe in that case you need to use the CA signed or create a new certificate with hostname mentioned in the above article.