When you install Embotics® vCommander®, a Secure Sockets Layer (SSL) certificate is installed to the apache-tomcat web server that confirms the identity of the server when your users access the system. This default certificate is self-signed, which means that your users have to make a decision whether or not to trust it when they access Embotics vCommander, because no certificate authority (CA) has validated the identity with a CA certificate.This means users will be prompted by their web browsers to make a decision, which will look like this:
User can choose to trust the certificate or you can generate and install a certificate with Active Directory Certificate Services that will be automatically trusted by web browsers on Domain members, by following the procedures below.
Remove the Default Self-Signed Certificate
The first thing that you must do is remove the default self-signed certificate that was created during the installation of Embotics vCommander, because there are no details uniquely identifying your organization. Before doing so, take a snapshot of the Embotics vCommander server so that you can restore to a known good state if anything goes wrong.
- On the Embotics vCommander server, open a command prompt and browse to <INSTALL DIRECTORY>\Embotics\vCommander\jre\bin
- Issue the command keytool -delete -alias tomcat -keystore ..\..\tomcat\conf\keystore -storepass changeit. If your path includes a space, you must enclose the path in quotes.
Note: If the Embotics vCommander service was stopped prior to deleting the certificate, it cannot be started until you have completed the next procedure. Attempting to do so will result in exceptions about the missing certificate.
The next step is to install a new self-signed certificate which will contain details about your organization that must be shared with the certificate authority. This makes sure that when you create the signing request, all of your organization’s details are included in the tomcat web server.
- Still in the same directory used for the procedure above, issue the command keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 3650 -keystore "C:\Program Files\Embotics\vCommander\tomcat\conf\keystore" -storepass changeit. If your path includes a space, you must enclose the path in quotes.
- You are prompted to provide and confirm the information the certificate contains.
- First and Last Name: Enter the fully qualified domain name (FQDN) of the vCommander server. For example, vcommander.embotics.com.
- Organizational Unit: The name of your department within the larger organization. For example, Engineering.
- Organization: The name of your organization. For example, Embotics Corporation.
- City or Locality: The city where your organization is based. For example, Ottawa.
- State or Province: The state of province where your organization is based. For example, Ontario.
- Two-letter Country Code: The country where your organization is based. For example, CA for Canada or US for the United States of America. See a complete list.
- When prompted to confirm, enter y and click enter.
Key Password for Alias: Embotics does not recommend using a password, just strike the ENTER key to proceed past this prompt.
Create the Certificate Signing Request
The next step is to create a certificate signing request (CSR) file which you will submit to Active Directory Certificate Services. This proves the identity of the server you are asking to validate.
- Still in the same directory used for the procedure above, issue the command keytool -certreq -keyalg RSA -alias tomcat -file embotics2017.csr -keystore "C:\Program Files\Embotics\vCommander\tomcat\conf\keystore" -ext san=dns:localhost,dns:sammy.pv.embotics.com,dns:sammy,ip:127.0.0.1,ip:10.10.10.78,ip:10.10.10.78 -storepass changeit
If your path includes a space, you must enclose the path in quotes.
You must include at least one subject alternative name in order for Google Chrome 58 and later to work. To do so, replace the dns: and ip: values in this portion of the command, using the specifics that match your vCommander server:
Use commas to add as many alternative names as you require.
- Retrieve the file certreq.csr created in the working directory and provide it to Active Directory Certificate Services.
Submit the Request to Active Directory Certificate Services
Next, follow the steps below to submit the request to Active Directory Certificate Services.
- Connect to the Active Directory Certificate Services website and click Request a certificate.
- Click advanced certificate request.
- Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
- Open the certreq.csr file created in the previous section using Notepad or another text editor, and copy the contents into the Base-64-encoded certificate request text field. Choose Web Server as the Certificate Template. Click Submit.
If you are not offered the Web Server option under Certificate Template, you must update its permissions. See Updating Permissions for the Web Server Template below.
- Select Submit
- Select Yes to popup "The Web site is attempting to perform a digital certificate operation on your behalf: " Do you want to allow this operation?
- Select the DER encoded radio button and click Download certificate chain.
- Download and save the certificate to <INSTALL DIRECTORY>\Embotics\vCommander\jre\bin.
Import the Signed Certificates
In this next step, you will import the certificate that you downloaded in the previous section.
- Open a command prompt in the directory where you saved the certificate and issue the command keytool -import -trustcacerts -alias tomcat -file certnew.p7b -keystore ..\..\tomcat\conf\keystore -storepass changeit using the correct filename for your .p7b file. If your path includes a space, you must enclose the path in quotes.
- When advised the certificate is not trusted, type yes and hit ENTER to indicate that you wish to install anyway.
- Restart the vCommander Windows Service.
Important: If you receive the error message keytool error: java.security.cert.CertificateException: java.io.EOFException you most likely have a trailing space in your signed certificate. Open the certificate file in a text editor such as notepad and remove any spaces leading into or trailing the encrypted content, and import the certificate again.
To update the permissions which allow users to use the Web Server template, follow the steps below.
- On the CA server, click Start and issue the command certsrv.msc.
- Exapnd the tree under your CA server.
- Right-click Certificate Templates and choose Manage.
- In the Contents pane, right-click the Web Server template and choose Properties.
- Switch to the Security tab and click Add.
- In Enter the object names to select, type the name of the security group that contains the users allowed to request certificates, and click OK.
- In Permissions, choose Enroll under Allow and then click OK.
Firefox and Trusting the Root Certificate
If you are using Firefox, once you complete the other steps, you may still receive warning messages about the installed certificates. If this is the case, it means that the browser does not yet trust the domain controller’s certificate as having been generated by an acceptable certificate authority. To correct, follow the procedure below.
- Connect to the Active Directory Certificate Services website using Firefox. If prompted, enter your domain credentials and click OK.
- Click Download a CA certificate, certificate chain, or CRL.
- Click Install this CA certificate at the top of the page. Refer to the image below, as there are multiple links with this label on the page.
- Check Trust this CA to identify websites and click OK.