On-premise SSL Certificate Renewal Instructions

SSL Cert Instructions

1. Create a new certificate by going to the Administration tab > Web Server tab under "Console" > Manage Certificate button

A)

Note - If you have already generated a certificate, generate a new one and overwrite the old one (you will get a pop up stating you are about to overwrite the old one, just click "ok".) It is best if you just start from scratch.

B) After selecting "create new certificate" you will be prompted to enter some information. It is extremely important to ensure that certain fields are correct. These fields are:

1. Common Name - This field is the hostname you will be accessing the on-premise console with (ex. mycompany.rapid7console.com). It must precisely match the server name of your InsightVM deployment where the certificate will be installed. Do NOT include port numbers, http://, https://, etc. as it must be in commonName format. We do not support Wildcard certificates.

2. RSA Key Size - This must match what the CA signs the certificate with. If you do not know this value, look at a CA signed web certificate from your company, and view it's details.

3. Signature Hash Algorithm - This must match what the CA signs the certificate with. If you do not know this value, look at a CA signed web certificate from your company, and view it's details.

4. Valid for (years) - This is how many years you want the web certificate to be good for before it expires.

All the remaining fields can be filled out per your companies policy.

2. Next, you will be prompted to create the CSR.

3. Go through the adding SAN (subject alternative name) data process here:

Open up a terminal/shell and navigate to:

cd [install_dir]/rapid7/nexpose/_jvm1.8.0_XXX/bin

Example:

Take note of the JVM version, as it changes with the product from time to time. JVM 1.8.0_XXX - The XXX needs to be replaced with the most current/highest version of JVM installed in the users ..\nexpose directory. In this example, it would be: cd [install_dir]/rapid7/nexpose/_jvm1.8.0_332/bin

After you get into the correct JVM directory, you will need to edit a few parts of the keytool command. THE LINUX AND WINDOWS COMMANDS ARE DIFFERENT, PLEASE USE THE CORRECT ONE. The only parts to be changed are highlighted here. You will need to amend the sha512WithRSA to match the CA requirements from step 1, which might be sha256WithRSA for example. Next, you need to ensure the path to nscweb.ks is correct, as sometimes the default installation path is changed during installation to a custom path. Last, you will set any additional DNS name(s), comma separated if you have multiple DNS names, and the IP of the console if desired to access by IP as well. DO NOT change the storepass "r@p1d7k3y$t0r3". You can change the filename.csr to anything desired.

Windows:

keytool.exe -certreq -alias nscweb -sigalg sha512WithRSA -keystore "c:\Program Files\rapid7\nexpose\nsc\keystores\nscweb.ks" -storepass "r@p1d7k3y$t0r3" -ext san=dns:samplehostname.com,ip:127.0.0.1 -file filename.csr

Linux:

./keytool -certreq -alias nscweb -sigalg sha512WithRSA -keystore /opt/rapid7/nexpose/nsc/keystores/nscweb.ks -storepass 'r@p1d7k3y$t0r3' -ext san='dns:samplehostname.com,ip:127.0.0.1' -file filename.csr

Linux Only - If the Keytool didn't execute correctly, make sure the keytool is executable. To make the keytool executable:

chmod +x keytool

You will know the keytool executed the command successfully if you get the security warning. This warning is expected behavior.

4.. In the <install directory>\nexpose\_jvmXXX\bin, grab/cat the filename.csr and get it signed by the CA. Get it signed base64 encoded and in PEM format (Valid PEM extensions: .PEM, .DER, .CRT, and .CER)

Note - You can check to see if the SAN data was signed correctly after the CA signs the certificate with openssl.

openssl x509 -text -noout -in SignedCert.crt

You should see results that look like the following:

X509v3 extensions:2X509v3 Issuer Alternative Name:3DNS:samplehostname.com, IP Address:127.0.0.1

5. Once signed, import the certificate into InsightVM Administration tab > "Global and Console Settings" window > Administer > Web Server tab > Manage Certificate > Import Certificate

6. Restart the InsightVM console Administration > Run

restart

7. Wait a couple minutes as the web services restart, then attempt to access the InsightVM console. Once the web server services start, the certificate can be checked. This can be done while IVM is still loading.

8. (OPTIONAL) Troubleshooting steps: Having issues? See potential resolutions below-

A) Ensure the Root CA is installed on the endpoint's certificate store that is attempting to access the console.

***If endpoint accessing the console still has issues with cert, expand the "More Information" or "See Details" in the browser on the certificate error page to troubleshoot error.

B) "There was an error while importing certificate. Make sure that the entered certificate is valid" - Ensure that the certificate data is CLEAN. If Outlook was used to copy+paste the cert data to another user to import (such as infrastructure team sending the cert data to the nxadmin) - this is probably the issue. Try zipping the certificate file, and send that instead of the clear text data from within the cert. Once received on the end users machine, open the cert in notepad and copy + paste directly into IVM.

C) NET::ERR_CERT_COMMON_NAME_INVALID - Most likely the user did NOT sign the SAN data. Open the certificate up from the browser, go to details, and check the Subject Alternative Name field is properly set.