SMC 3.x New Installation -- How to create a certificate request?

Question

Doing an installation of SMC 3.0.0.6, and want to use a trusted issuer certificate so that Android phones witll work properly with this... but, no GUI or instructions (anywhere that I can find, KB, docs, etc.) on how to generate a proper CSR request that will leave me with the private key needed to import a cert into the system during setup. My cert provider had a procedure for Tomcat, and that seemed to halfway work (keytool was there)... but I don't have a .pem file to "feed' the install wizard when it prompts for it. This should really be documented better.

Anyway, anyone have a clue?

This thread was automatically locked due to age.

RL · Accepted Answer

After posting the steps provided by Sophos I thought I'd give this a whirl myself. Well, after a few failed attempts (mainly with Step C) I managed to get it all up and running....

Beforehand I’’’’d like to point out our environment as you may need to change the directories in the example below to match your set-up:

We are already running SMC version 3.0.0.6 (so it’’’’s been set-up using a self signed cert) 
 Server is Windows 2012 Standard x64 
 Java v7.x 
 We downloaded the Root and Intermediate cert files from the signing CA. 
 We are not using wildcards certs (See above post if you need notes on this) 
 
 NB. Some CA’’’’s chain the Root and Intermediate certs together.

So, onwards and upwards...

For the purpose of this example we'll call the domain smc.domain.com

NB: Please run the following steps from the Sophos Mobile Control server as the local or domain administrator.

Step A - Create a new keystore

You will be using the keytool command to create your new key-CSR pairing...

From the ‘‘‘‘ C:\Program Files\Java\jre7\bin’’’’ directory on the Sophos SMC Server enter the following at the command prompt:

keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore smc.domain.com.jks

2. Enter a keystore password (make note of this password for future use) 
 3. You will be prompted for the DN information. 
 4. Please note: when it asks for first and last name, this is not YOUR first and last name, but rather your domain name and extension (i.e., smc.domain.com). 
 5. Confirm that the information is correct by entering 'y' or 'yes' when prompted. Next you will be asked for your password to confirm. Make sure to remember the password you choose. 
 Step B - Generate your CSR with your new keystore

Next, use keytool to actually create the Certificate Signing Request...

From the ‘‘‘‘ C:\Program Files\Java\jre7\bin’’’’ directory on the Sophos SMC Server enter the following at the command prompt:

keytool -certreq -alias server -keyalg RSA -file smc.domain.com.csr -keystore smc.domain.com.jks

2. Enter the keystore password. 
 3. Then the SSL Certificate CSR file is created and ready to be submitted to your web hosting provider. - Just open the smc.domain.com.csr file in the ‘‘‘‘ C:\Program Files\Java\jre7\bin’’’’ directory using something like notepad and copy all the text and submit this to your Certificate Authority. 
 Step C - Generating your Private Key file from your new keystore

Generate the RSA private key from your keystore file...

From the ‘‘‘‘ C:\Program Files\Java\jre7\bin’’’’ directory on the Sophos SMC Server enter the following at the command prompt:

keytool -v -importkeystore -srckeystore smc.domain.com.jks -srcalias server -destkeystore smc.domain.com . p12 -deststoretype PKCS12

2. Enter a private key password (make note of this password for future use) 
 3. Enter the keystore password set in Step A2 above. 
 ! [ Storing smc.domain.com .p12] message appears if successful.

Open open the P12 file in order to copy the RSA private key information to your .key file.... 
 
 4. Copy the ‘‘‘‘smc.domain.com . p12’’’’ file from ‘‘‘‘ C:\Program Files\Java\jre7\bin’’’’ directory to: ‘‘‘‘ C:\Program Files (x86)\Sophos\Sophos Mobile Control	ools\Wizard\certs’’’’ 
 5. From the ‘‘‘‘ C:\Program Files (x86)\Sophos\Sophos Mobile Control	ools\Wizard\certs’’’’ directory enter the following command:

openssl pkcs12 -in smc.domain.com.p12 -nocerts –nodes

6. Enter the private key password you set in Set C2 above. 
 ! This will display your RSA Private Key information:

7. Next you will need to copy the RSA Private Key text (see example in PINK below) and paste it into a text file.

8. Name this text file smc.domain.com.key and save to ‘‘‘‘ C:\Program Files (x86)\Sophos\Sophos Mobile Control	ools\Wizard\certs’’’’ 
 Step D – Add the signed CA certificate to the Sophos Mobile Control solution

Run the Sophos Mobile Control installer again 
 Click Yes when prompted to confirm you want to reconfigure the database 
 Click Yes to confirm that you want to stop the service 
 Skip the database configuration 
 Select the option to Configure Service Certificate 
 Choose the option to Import a certificate from a trusted provider 
 From the drop down choose to import the separate files (I forgot the wording) 
 Import the signed certificate you should have received back from your trusted CA. (Normally a .crt file with your domain in it, E.g. smc.domain.com.crt) 
 Import the smc.domain.com.key private key file from ‘‘‘‘ C:\Program Files (x86)\Sophos\Sophos Mobile Control	ools\Wizard\certs’’’’ (Created in Step C5 above) 
 Import the Trusted CA Root certificate and if needed the Trusted CA Intermediate certificate. As mentioned before, some CA’’’’s bundle these as one .crt file. If so, just add this to the Root CA option in the wizard. 
 Enter the private key password 
 Follow the wizard to the end and once the services have successfully started you should now have https://smc.domain.com up and running with a signed SSL certificate. 
 
 Happy days,

Kind regards,

John

P.S. Please feel free to update this thread if I've made any errors, and I will correct the post accordingly. :40667

SMC 3.x New Installation -- How to create a certificate request?

Step A - Create a new keystore

Step B - Generate your CSR with your new keystore

Step C - Generating your Private Key file from your new keystore

Step A - Create a new keystore

Step B - Generate your CSR with your new keystore

Step C - Generating your Private Key file from your new keystore

Submitted a Tech Support Case lately from the Support Portal?