Note: This guide is written for the new 12.70 version of Secure Access but will work exactly the same with a NetMotion Mobility console. If using Mobility, instead of using the Secure Access Management Tool instead use the Mobility Management Tool.
When submitting the CSR generated by the Secure Access Management tool, to an internal CA, directly through the MMC.exe certificates snap in you will get an error stating "The request contains no certificate template information."
If you are using an internal CA with Web Enrollment configured, the simplest method is to use that feature by following the directions found here: Configuring a CA-Signed Certificate
A video of this can be found here: Mobility Console - Signed Certificate Installation
If you are not using web enrollment, additional steps must be taken to sign the CSR.
These first steps will be done locally on the Secure Access server.
- Open the Secure Access Management Tool program
- Click on the third tab, Web Server
- Click on Server Certificate
- Under the Certificate Request heading, select New
- Fill in the information about your organization and site for the certificate
- Once the CSR has been generated, click the copy button to copy it to your clipboard
- Paste this text to a notepad file and save it as a .txt file (the filename is irrelevant)
- Copy this .txt file to your CA or a location accessible from your CA
The next steps are taken locally on your CA
- Launch Powershell in administrative mode
- Run the following command
certreq -attrib "CertificateTemplate:WebServer"
- You'll be prompted for a path to the CSR, select the text file created above
- You may be prompted to select your Certificate Authority, make sure to select the CA root certificate
- Last you'll be prompted where you would like to save the response, choose your file name and save location, success will look similar to the picture below
- Open a command prompt (not Powershell) in administrative mode
- Export the CA's root certificate using the following command, changing the path and filename to whatever you prefer but maintaining the .cer extension
certutil -"ca.cert" c:\RootCert.cer
- Copy both files to your Secure Access Server
- Run the following command
The following is to be conducted on your Secure Access Server
- Return to the Secure Access Management Tool and the web server tab
- If it isn't still open, click on Server Certificate
- To the right of Root click Import
- Select the root certificate generated in step 6 above
- If successful, the name of your CA will appear to the right of Root
- Click on Response above and select the response generated in step 1 above
- When completed, the window will look like below
- After clicking close you will be prompted to restart the console. This will not disconnect any Secure Access connections
A note about Firefox
If you are using Firefox as your browser, the certificate will not be trusted. You can allow Firefox to trust this certificate by going to about:config in the Firefox browser
Search for security.enterprise_roots.enabled and change this to true, this will allow you to connect to your console without getting a warning about untrusted certificates
Comments
1 comment
Not a comment on this article, but on the programming decisions: this is absurdly difficult and convoluted! What if you have a two-tier CA infrastructure with an issuing CA? What if you have a particular template you want to use? Why not just allow the ability to select an existing certificate with the correct name and attributes already present in the local machine's certificate store like one can with IIS? This looks like such a barrel of monkeys I'm not even going to try it... Just why?
Please sign in to leave a comment.