Websense Web Security SSL Certificates : Working with a Certificate Authority

Working with a Certificate Authority

Topic 50144 / Updated: 10-Jun-2010

Applies To:

Websense Web Filter 7.5 Websense Web Security 7.5

If you have installed TRITON - Web Security, your installation includes a copy of OpenSSL, a tool that can be used to generate keys, signing requests, and SSL certificates. The script files installed with the tool (described in Generating self-signed SSL certificates) can be used to generate a local certificate, but may not generate a key strong enough to be accepted by third-party Certificate Authorities.

The procedures below include sample OpenSSL commands that you can use to:

Generate a key and certificate signing request, and install the certificate

Generate a 2048-bit RSA private key using AES 256-bit encryption

Because OpenSSL is a third-party product, refer to the OpenSSL documentation (available at openssl.org) for complete information specific to your version of OpenSSL.

Overview of the certificate process

This procedure uses the Windows Certificate Authority as an example to illustrate the process.

1.	Open a command prompt and navigate to the directory containing the openssl executable.

The program is located by default in the Websense\apache\conf\ssl\ directory on the TRITON - Web Security machine.

2.	Use the following command to create a signing request and encrypted key:

openssl req -out mycsr.csr -pubkey -config "C:\Program Files\Websense\apache\conf\ssl\openssl.cnf" -new -keyout mykey.key -nodes

Substitute the appropriate path for the default Windows path shown in the example, and provide the following information when prompted:

Information Type	Description
<country code>	If your organization is located in the United States, for example, enter US.
<state code>	If your organization is located in California, for example, enter CA.
<city name>	For example, SanDiego.
<organization>	For example, MyCompany
<organizational unit>	This may be a repeat of the organization name.
<server IP address>	The IP address of the TRITON - Web Security machine.
<email address>	For example, info@mycompany.com.
<challenge password>	Leave this entry blank.
.	Enter a single period (".") character.

3.	Use the following command to strip the key of its encryption:

openssl rsa -in mykey.key >> mykey-nocrypt.key

4.	Open the request file (in the example, mycsr.csr) and send it to the Certificate Authority (CA).

5.	Use the Windows Certificate Authority's Web-based certificate process to import the certificate request and issue a Web server certificate.

6.	Download the DER x509 certificate, when prompted.

7.	Use the following command to convert the downloaded DER certificate to PEM certificate:

openssl x509 -inform der -in certnew.cer -out MYCERT.pem

8.	Rename the mycert.pem file to server.crt, and then rename the mykey-nocrypt.key file to server.key.

If you have generated this certificate for use with TRITON - Web Security:

1.	Move server.crt to the Websense\Apache\conf\ssl\ssl.crt\ directory.

2.	Move server.key to the Websense\Apache\conf\ssl\ssl.key\ directory.

3.	Restart the Apache and Tomcat services or daemons:

Windows: Use the Windows Services dialog box to restart the Apache2Websense and ApacheTomcatWebsense services.

Linux: Use the /opt/Websense/WebsenseDaemonControl script to restart TRITON - web.

Generating a strong key

If you have submitted a certificate signing request (CSR) but received a weak key error, use the following steps to generate a strong key:

1.	Open a command prompt and navigate to the directory containing the openssl executable.

The program is located by default in the Websense\apache\conf\ssl\ directory on the TRITON - Web Security machine.

2.	To generate a 2048-bit RSA private key using AES 256-bit encryption, enter the following command:

openssl genrsa -aes256 -out server.key 2048

3.	To generate the certificate request using your key, enter the following command:

openssl req -new -key server.key -sha1 -out myrequest.csr

Substitute a meaningful name for myrequest.csr.

4.	Submit the CSR to your Certificate Authority.

Websense Web Security SSL Certificates : Working with a Certificate Authority