R12.1 Project Publication-2025Dec23

SSL FAQ

What is the certificate requirement for NetBrain?

Extended key usage must permit both TLS client and TLS server authentication.
Both the certificate and the CA chain are required, because NetBrain requires a full chain certificate.
Only the Base-64 encoded X.509 (.CER) format is supported.
Private key cannot be password encrypted and must be in the pkcs8 format.

How to make sure your private key file meets the requirement?

Use a vi editor on Linux or Notepad++ on Windows to open your private key file, and make sure it looks exactly like this:

-----BEGIN PRIVATE KEY----- xxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxx -----END PRIVATE KEY-----

If you see something like:

-----BEGIN PRIVATE KEY----- Proc-Type: 4,ENCRYPTED xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -----END PRIVATE KEY-----

It means this key is encrypted and must be decrypted first.

openssl rsa -in ABCCompany.key -out ABCCompany.key.unencrypted

How to make sure your cert chain files meet the requirement?

[+] Show Answer

[-] Hide Answer

For example, if your company has a root CA and an intermediate CA, which means Level 3 cert chain is used.

You need to make sure there is 1 cert.pem file, 1 intermediate-ca.pem file and 1 root-ca.pem file. Each of them should look like:

-----BEGIN CERTIFICATE----- xxxxxxxxxxxxxxx -----END CERTIFICATE-----

You also need to consolidate/merge all the separate CA files into a chain-ca.pem file. To do so, copy and paste the BEGIN CERTIFICATE – END CERTIFICATE section into a single file using Notepad++ or VI Editor.

The final chain-ca.pem file looks like:

-----BEGIN CERTIFICATE----- xxxxxxxxxxxxxxx //content of the intermediate ca file xxxxxxxxxxxxxxx -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- xxxxxxxxxxxxxxx //content of the root ca file xxxxxxxxxxxxxxx -----END CERTIFICATE-----

How to verify if your certificate chain fits the bill?

[+] Show Answer

[-] Hide Answer

The easiest way is to install Elasticsearch with SSL enabled.Generally, if Elasticsearch can be installed successfully with SSL enabled, your certificate chain should be able to meet the requirements of all the other NetBrain components.

Note: HTTPS, which can be enabled on IIS of Web Server, is not covered here.

Another way is to check by running the following command on a Linux server: openssl verify –verbose -CAfile CApath Certpath

Note: This command cannot ensure the installation on NetBrain will be successful.

[root@localhost pki-scripts]# openssl verify -verbose -CAfile ./ca/chain-ca.pem node.pem node.pem: OK [root@localhost pki-scripts]#

How to convert the certificate to formats NetBrain supported and What is the difference between X509 and PFX?

[+] Show Answer

[-] Hide Answer

The most common certificate format is “.PFX”, which usually includes private keys and certificates in X.509 format.

Use the following command to convert a PFX file, for example, pkcs12, into the one that NetBrain supports:

openssl pkcs12 –in ABCCompany.pfx -out netbrain.pem –nodes

During this converting process, you might be asked to input the passphrase of the PFX file. Check with your Network Administrator for more details.

How to find out the root cause when your SSL installation fails?

[+] Show Answer

[-] Hide Answer

The best way to verify your certificate chain is to install Elasticsearch first.

If the installation failed, check the elastic-search-cluster.log file under Elasticsearch’s installation directory to see if there is any error.

Generally, an error might be caused by:

incorrect cert or private key format
extended key usage TLS client does not permit client auth.

In these two cases, check with your CA server manager or IT staff to regenerate the required certificate chain and private key file.

	Note: Try the new certificate chain and key file to make sure the elastic-search-cluster.log file does not generate the same error logs anymore.

If the above FAQ cannot resolve your problem, please collect the whole logs folder under Elasticsearch installation directory and send to NetBrain Support Team.

[root@localhost home]# cd elasticsearch/ [root@localhost elasticsearch]# ls bin config data fix_releaseinfo.json lib LICENSE.txt logs modules NOTICE.txt pid plugins README.textile temp [root@localhost elasticsearch]#

Deploy and Install System Manage License