Requirement


For eG manager, the certificate chain (Root, Intermediate, and Domain cert) should be in a pfx format or crt format. Also, the certificate should have a private key. If the cert is created with an alias name, then the alias name is required.


Generating a CSR from the IIS Server:

  • In the Windows start menu, type Internet Information Services (IIS) Manager and open it.
  • In Internet Information Services (IIS) Manager, in the Connections menu tree (left pane), locate and click the server name.
  • On the server name Home page (center pane), in the IIS section, double-click Server Certificates.

IIS 10 Install SSL Certificate

  • On the Server Certificates page (center pane), in the Actions menu (right pane), click the Create Certificate Request link.
  • In the Request Certificate wizard, on the Distinguished Name Properties page, provide the information specified below and then click Next:
    • Common name: Type the fully-qualified domain name (FQDN) (e.g., www.example.com).
    • Organization: Type your company’s legally registered name (e.g., YourCompany, Inc.).
    • Organizational unit: The name of your department within the organization. Frequently this entry will be listed as "IT", "Web Security," or is simply left blank.
    • City/locality: Type the city where your company is legally located.
    • State/Province: Type the state/province where your company is legally located.
    • Country: In the drop-down list, select the country where your company is legally located.
  • On the Cryptographic Service Provider Properties page, provide the information below and then click Next.
    • Cryptographic: In the drop-down list, select Microsoft RSA SChannel Cryptographic Provider, service provider: unless you have a specific cryptographic provider.
    • Bit length: In the drop-down list select 2048, unless you have a specific reason for opting for a larger bit length
  • On the File Name page, under Specify a file name for the certificate request, click the … box to browse to a location where you want to save your CSR.
  • When you are done, click Finish.
  • Use a text editor (such as Notepad) to open the CSR file which is saved.
  • Please request a certificate for Apache Tomcat from your team for the eG manager.

Install and Configure Your SSL Certificate in IIS Server

  • On the server where you created the CSR, save the SSL certificate .cer file (e.g., your_domain_com.cer) that your team sent to you.
  • In Internet Information Services (IIS) Manager, in the Connections menu tree (left pane), locate and click the server name.
  • On the server name Home page (center pane), in the IIS section, double-click Server Certificates.IIS 10 Install SSL Certificate
  • On the Server Certificates page (center pane), in the Actions menu, click the Complete Certificate Request link.IIS 10 Install SSL Certificate
  • In the Complete Certificate Request wizard, on the Specify Certificate Authority Response page, do the following and then click OK:
  • File name containing the certificate authority's response: Click the … box and browse to and select the .cer file (e.g., your_domain_com.cer) that the team sent to you.
  • Friendly name: Type a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate.
  • Select a certificate store for the new certificate: In the drop-down list, select Personal

                     

Now that you have completed the Certificate Request

Exporting the certificate to pfx format from IIS:

  • Login to the server in which the certificate is installed
  • In the Windows start menu, type mmc and open it.
  • In the Console window, in the top menu, click File > Add/Remove Snap-in.

  • In the Add or Remove Snap-ins window, in the Available snap-ins pane (left side), select Certificates and then click Add >.

  • In the Certificate snap-in window, select Computer account and then click Next.
  • In the Select Computer window, select Local computer: (the computer this console is running on), and then click Finish.
  • In the Add or Remove Snap-ins window, click OK.
  • In the Console window, in the Console Root pane (left side), expand Certificates (Local Computer), expand the Personal folder, and click the associated Certificates folder.
  • In the center pane, right-click on the certificate that you want to export/back up and then click All Tasks > Export.
  • In the Certificate Export Wizard, on the Welcome to the Certificate Export Wizard page, click Next.
  • On the Export Private Key page, select Yes, export the private key, and then, click Next.
  •  On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX) and then check the box “Include all certificates in the certification path if possible”.
     
  • On the Security page, do following one of the following options:
    1. Password: Check this box.
    2. Confirm password: Then, create and confirm the password.

Note: This password will be required when you import the certificate w/private key


 

  • On the File to Export page, click Browse. In the Save As window, locate and select the certificate file that you want to export and then click Save. Finally, on the File to Export page, click Next.
  • On the Completing the Certificate Export Wizard page, verify that the settings are correct and then, click Finish.
  • You should receive the "The export was successful" message.
  • The SSL certificate w/private key .pfx file is now saved to the location that you selected.

Deploying  the SSL certificate on the eG manager server:

  • On the eG Manager server navigate to the egurkha\lib folder, find the stop_manager.bat file, and right-click, then run as administrator. This will stop the eG manager services.
  • Open a command prompt as an administrator and navigate to the location
    <eG Installed Drive>\eGurkha\manager\tomcat\conf
  • Take a backup of the existing server.xml file.
    Command: copy server.xml server-copy.xml
  • Open the server.xml file in the notepad
     Command: notepad server.xml
  • Change the KeyStore name to match the name of the KeyStore file instead of egmanager.bin. Provide the full name of the KeyStore file with the file format. Search in the notepad using the keyword “CertificateKeyStoreFile”
  • Change the entry certificateKeyStoreFile=“webapps/eGmanager.bin” to “webapps/<KeyStore Name>”.
    For example: “webapps/eGSSLcertificate.pfx”
  • Change the entry certificateKeyAlias=”eGInnovations” to “<KeyStore Alias>”. Remove this parameter if the certificate has no alias name.
  • Do not make any changes for the parameter certificateKeyStorePassword=”${EgSslPassword}”
  • Save the server.xml file.
  • Now in the command prompt, navigate to the location <eG installed drive>\eGurkha\lib
  • Run the command EncryptedSSLPassword.bat
  • Enter the certificate password which is created while converting the certificate to pfx format
    NOTE: You cannot paste into this command.  You cannot delete the first asterisk.
     
  • Copy the Encrypted password from this prompt and paste it into a new notepad.
  • In the command prompt, navigate to the location
     <eG installed drive>\egurkha\manager\tomcat\conf\ 
  • Take a backup of the file eg-enterprise.properties
    Command: Copy eg-enterprise.properties eg-enterprise-old.properties
  • Open the file eg-enterprise.properties in a notepad”
    Command: notepad eg-enterprise.properties
  • Paste the Encrypted password from the other notepad into this file.
    EgSSLPassword=<Enter the password from the notepad>
  • Save the file
  • Type the command start_manager to start the eG manager services.
  • Open a browser on the EG Manager server and put in the manager URL (not localhost) with HTTPS:

          For example https://eg

          Also, verify on a separate system that the certificate is working.