Generating self-signed SSL certificates

Websense Web Security SSL Certificates : Generating self-signed SSL certificates

Generating self-signed SSL certificates

Topic 50143 / Updated: 10-Sep-2010

Applies To:

Websense Web Filter 7.5

Websense Web Security 7.5

.When you generate an SSL certificate, the general steps are:

1.

Generate a private key (server.key).

2.

Generate a Certificate Signing Request (CSR) with the private key. IMPORTANT When prompted for the CommonName, enter the IP address of the Filtering Server machine. If you skip this step, client browsers will display a security certificate error.

3.

Use the CSR to create a self-signed certificate (server.crt).

4.

(For TRITON - Web Security) Use the CSR to create a key store file (manager.p12).

This file is not required for secure manual authentication.

Websense, Inc., provides an OpenSSL toolkit with script files that can be used to simplify the certificate creation process.

If you prefer to create the certificate without using the script files, you can still use OpenSSL. Clear instructions for using the OpenSSL toolkit to generate a certificate are available from www.akadia.com/services/ssh_test_certificate.html.

Use scripts to generate a self-signed certificate

When TRITON - Web Security is installed, an OpenSSL toolkit is installed automatically, including a series of script files that can be used to simplify the certificate generation process.

To use the scripts to generate custom certificates:

1.

On the TRITON - Web Security machine, navigate to the apache/conf/ssl directory (C:\Program Files\Websense\apache\conf\ssl or /opt/Websense/apache/conf/ssl/, by default).

2.

Open the openssl.txt file in a text editor.

3.

Edit the file as appropriate to change the input information used to generate the certificate and key. The file contains the following information:

Information Type

Description

<country code>

If your organization is located in the United States, for example, enter US.

<state code>

If your organization is located in California, for example, enter CA.

<city name>

For example, SanDiego.

<organization>

For example, MyCompany

<organizational unit>

This may be a repeat of the organization name.

<server IP address or name>

The IP address or hostname of the machine where TRITON - Web Security or, for secure manual authentication, Filtering Service, is running.

<email address>

For example, info@mycompany.com.

<challenge password>

Leave this entry blank.

.

Enter a single period (".") character.

An edited file might look like:

US
MA
Boston
MyCompany'sCN
MyCompany'sO

MyCompany'sOU
MachineHostName_IPAddress_or_Alias
info@mycompany.com
pw_generation_string

.

Important

Do not omit the period (".") that is the last line of the input file.

4.

Save and close the file.

5.

Navigate to the Websense/apache/conf/ssl/automation/ directory.

6.

If you are generating certificates for use with TRITON, run each of the script files in the directory in order. If you are generating certificates to enable secure manual authentication, run the s1 through s3 scripts in order (you do not need to generate the files created by the remaining scripts).

Windows:

a.

s1_newreq.bat

b.

s2_server_key.bat

c.

s3_server_crt.bat

d.

s4_server_p12.bat

e.

s5_server_cert_txt.bat

Linux:

a.

s1_newreq.sh

b.

s2_server_key.sh

c.

s3_server_crt.sh

d.

s4_server_p12.sh

e.

s5_server_cert_txt.sh

7.

Navigate to the Websense/apache/conf/ssl/output/ directory.

8.

Copy the new .crt, .key, .p12, and cert.txt files to the appropriate directories.

If you are using the files for TRITON - Web Security, the directories are:

Websense/apache/conf/ssl/ssl.crt/server.crt

Websense/apache/conf/ssl/ssl.key/server.key

Websense/tomcat/conf/keystore/tomcat/manager.p12

Websense/Manager/OnlineHelp/en/certificateSupport/cert.txt

If you are using the files to enable secure manual authentication, copy the server.crt and server.key files to the Websense bin directory on the Filtering Service machine (/opt/Websense/bin/ or C:\Program Files\Websense\bin, by default).

9.

Do one of the following:

If you generated a certificate for use with TRITON - Web Security restart the Apache and Tomcat services or daemons.

Windows: Use the Windows Services dialog box to restart the Apache2Websense and ApacheTomcatWebsense services.

Linux: Use the /opt/Websense/WebsenseDaemonControl script to restart TRITON - web.

If you generated a certificate for use with secure manual authentication, see Enabling secure manual authentication.

Applies To:	Websense Web Filter 7.5 Websense Web Security 7.5

Information Type	Description
<country code>	If your organization is located in the United States, for example, enter US.
<state code>	If your organization is located in California, for example, enter CA.
<city name>	For example, SanDiego.
<organization>	For example, MyCompany
<organizational unit>	This may be a repeat of the organization name.
<server IP address or name>	The IP address or hostname of the machine where TRITON - Web Security or, for secure manual authentication, Filtering Service, is running.
<email address>	For example, info@mycompany.com.
<challenge password>	Leave this entry blank.
.	Enter a single period (".") character.

	Important Do not omit the period (".") that is the last line of the input file.

Quick Links

Websense Web Security SSL Certificates : Generating self-signed SSL certificates