Morning folks in R7 Land,
I’ve been trying to get this resolved, but I’ve hit a real wall on this one.
We have been getting cert errors for our API’s due to our self signed cert not being approved by a CA. So I went ahead finally and submitted the CSR to my CA, uploaded return key value. Restarted console. No Change
Using this Reference document
It is not accurate or I’m maybe not aligning my request right. I’ve attempted to do the SAN Section of the document since I figured I am getting this signed by my organizations CA
### IMPORTANT
Consoles using externally signed (CA/non-CA) must have a SAN field. If the certificate is self signed, it does not require a SAN field.
cd [install_dir]/rapid7/nexpose/_jvm1.8.0_232/bin
No longer valid folder. I do see something similar to it (_jvm1.8.0_332) and CD into it after Sudo -su or sudo -i into it
./keytool -certreq -alias nscweb -sigalg sha512WithRSA -keystore /opt/rapid7/nexpose/nsc/keystores/nscweb.ks -storepass ‘r@p1d7k3y$t0r3’ -ext san=‘dns:samplehostname.com,ip:127.0.0.1’ -file filename.csr
if you attempt to run that, you get a permission denied error (I am doing this as root user)
Any help on how to get this squared away would be much appreciated.
When you run that command, you need to swap out the dns name and IP to your actual values. Your command shows that you were still using the sample name and loopback address.
Also before you get to this step you should have already generated the new cert and CSR from the GUI.
Try making those changes and running again. The contents of that “filename.csr” is what you will need to copy/paste into your CA to be signed.
Hey John, long time no chat.
When you run that command, you need to swap out the dns name and IP to your actual values. Your command shows that you were still using the sample name and loopback address.
Also before you get to this step you should have already generated the new cert and CSR from the GUI.
Appreciate that clarification. That makes sense and adds up. I can modify the command to match my FQDN and Server IP. Do we need to include the port association on it?
To my second point in the post,
Any pointers?
Yes, you were right that the jvm version has changed so you were right to go into the updated folder name.
However, looking at the directory you’re in, it doesn’t match up to the command you’re running and where it expects to find those files.
Given by your screenshot the top level directory you show is “data” and we expect it to be installed in “opt”. You should simply be able to swap out the directory name in the command.
Switched the directory, got the following pipe
perfect, that’s expected. Grab the contents of the filename.csr in that directory you’re in now and that’s what you will send off to be signed by your CA.
1 Like
Dope. I submitted to my CA now and will wait for them to provide return. I’ll update the thread once I know better. Thanks as always John for your insight 
1 Like
So got back from the CA the signed CSR. Performed Stop, Start after import
URL shows secure
However, issue we are seeing with API tools
or
