11-16-2017 06:27 AM
I'm trying to enable HTTPS for SAS Environment Manager 9.4M4 with a third-party (Entrust) signed certificate.
I have done the following to no avail....
Followed the post-install steps in the SAS Environment Manager Admin Guide
Created a keystore with the CA root, intermediaries and server certificate.
If I go to the EM console, Chrome complains that it can't validate the site. However, I've also implemented TLS on all the web apps on this same installation and they work 100%, so this is isolated to Environment Manager. Under HTTP I could connect 100% to the console.
Any ideas ?
11-16-2017 10:05 AM
have you included the certificates in the Chrome certificate store?
is it working OK for IE or Firefox?
when it does not validate the site, can you still go through by accepting you go to an insecure site?
11-16-2017 10:28 AM
Yes, I have imported the certs into Chrome. Other https URLs on the same mid tier e.g. VA Hub works 100%.
Haven't tried with other browsers yet.
Yes, I can click through and go to an 'unsecure' site.
I'm just thinking now....The only difference between the EV and the Web Server setup, is that the EV config has a different private key, since it's generates a new private key when you create the keystore. It's the same server and server cert, but different private key.
Could this maybe be the problem ? i.e. mismatch between the private key and the server cert.
If so, is it possible to use the private key from the Web Server config for EV ? Ultimately I want to use the same server cert I used for the Web Server.
11-17-2017 05:41 AM - edited 11-17-2017 05:41 AM
I think you are on the right track. have you already tried it? Do not forget to make copies/backups of modified files.
11-17-2017 05:58 AM
This morning I obtained a third-party (Entrust) signed certificate for the server and imported all the certs into a new EV keystore, but the problem remains. So that rules out the private key theory..
Btw....I get the same error in Chrome, FireFox and Edge.
If I expand the error in Chrome, it shows the certificate. The issuer of the certificate is listed as my server, so it appears to be the self signed certificate. But I don't understand how since EV is pointing to the new keystore that only contains the new thirdparty certs. It's as if EV is providing the self signed certificate and not the new ones.
Any ideas ?
11-27-2017 01:53 AM
Just an update on this one....
I have opened a Track with Tech Support and we are still investigating. From the analysis so far, it seems like the error in Chrome is caused by Environment Manager using the self-signed certificate instead of the third party certificate. It's weird because all locations have been updated with the third party certificate, so there should be no trace of the self signed one, but for some reason EV is not using the third party one.
Will keep the forum posted...