This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Sigmund Dworelitnivu
Nov 24, 2014, 8:54 PM
328 Posts

Thank you, Michael!

  • Category: Configuring
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator
  • Tags:
  • Replies: 14

One of the issues from the original Wiki was in Step 1 he used 'server.key', then in step 2 it was server02.key; I was pretty sure they should have been the same...

Are you setting environment variables for OpenSSL?  I think that I had to add 'set RANDFILE=.rnd', but then later got another error, so added 'set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg'.

Did you have to make any changes to the supplied openssl.cfg file?

And finally, did you just run everything from 'C:\OpenSSL-Win32\bin'? Then copy out the files you needed?

Thanks for the direction! It looks like I was on the right track - but didn't want to submit & pay for the certificate only to find out I had it all wrong!

 

~Anita Minasterings
Nov 24, 2014, 8:46 PM
90 Posts
Another gotcha with your certs
Make sure your certificate chain has no SHA1 intermediate or root certificates. If so, it will work fine but the SSL test sites might ding you a few points.

I ended up contacting Thawte since they had two intermediate certs to use but one was SHA-1. They said I can leave that one out since it was only needed for obsolete browsers and to just use the SHA-2 intermediate. Seems to work fine.

Howard
~Sanjay Umtumisonikle
Nov 24, 2014, 9:22 PM
51 Posts
SHA-2 Signatures (Root/Intermediate Certificates)

Hello Howard,

Excellent, couldn't agree more with that recommendation. Many CA still have root and intermediate bundles (or individual certificates in their repositories) that are only SHA-1 signed. I intentionally downloaded the G2 versions of the root and intermediate certificates (e.g. from Go Daddy) that has SHA-2 signatures. If not, your chain's essentially not 100% SHA-2. Even with these SHA-2 inclusive certificates, it's possible to still see SHA-1 for the Thumbprint Algorithm but the certificate is signed with SHA-2 and will pass tests (e.g. Google Chrome checks for SHA-1).

Regards,
Michael

~Tanita Desweverobu
Nov 24, 2014, 11:01 PM
94 Posts
Thanks for pointing that out - changed "server02" to "server" in step 2 <>
~Sanjay Umtumisonikle
Nov 25, 2014, 12:01 AM
51 Posts
Thanks Dave! (re: server02 -> server)

Dave,

Thanks for updating the posting.

Regards,
Michael


This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal