Need some assistance on certificates regarding our on prem InsightVM instance. We are failing the SANs check through the browser (Edge) which is making the portal come up NotSecure. We also notice when we transition to the Platform page exposure-analystics.insight.rapid7.com we are seeing the same issue. I am thinking it has to possibly be due to our on prem cert that may have not been done properly when implemented even though the SAN attribute looks to be there. Following this doc Managing the Security Console | InsightVM Documentation i am not able to understand the process on uploading a new cert from our on prem CA. in the console under manage Certificates i jumped to step 2 and generated a CSR and took that to our CA and retrieved a certificate. Now i need to upload it into our console and there seems to not be a way. Step 3 Import Cert/Cert chain its asking for CSR info not the actual Certificate we generated from Step2. Is there a step we are missing. I see below that there is a process to use the Keytool but i would think that would be after we ingest our newly created cert into the web server. Support provided us with this On-premise SSL Certificate Renewal Instructions | Guru (getguru.com) document but again its asking us to create the cert in step 1 but all i took was the CSR from step 2 and retrieved a cert already. Any help or direction would be appreciated,.
So using that same documentation, scroll down to the section where it says “Setting the SAN information” which is usually required for a local CA.
Basically the steps are this:
Create new cert in InsightVM
Generate the CSR (no need to copy it from here)
RDP/SSH to the console and sign the CSR with the internal keytool
Take that new CSR and get it signed by the CA with the Base64 returned
Paste the Base64 cert back into InsightVM
Thank You for the Quick response. So you do need to perform Step 1 in the Document. I skipped Step 1 and performed step 2 recieving the CSR then took that and put it into our CA and recieved a Cert. I extracted that cert info and put it into Step 3. Then proceeded to Step 4 on the local insight Server. So it sounds like i need to do step 1 regardless. Then do not do step 2. Follow to step 4 and get the CSR from the keytool and take that CSR and request a cert from my CA?
I dealt with a similar issue two times and the most recent one R7 support was not that helpful.
In order to use our own internally signed CA cert, I had to modify the CSR generated by the R7 Security Console with subject alternative name (SAN) this way before submitting CSR to our CA:
root@hostname:/opt/rapid7/nexpose/_jvm1.8.0_402/bin# chmod +x ./keytool
root@hostname:/opt/rapid7/nexpose/_jvm1.8.0_402/bin# ./keytool -certreq -alias nscweb -sigalg sha256WithRSA -keystore /opt/rapid7/nexpose/nsc/keystores/nscweb.ks -storepass 'YourPassword' -ext san='dns:<YourFQDN,ip:<YourIP>' -file <csrFilename>