SSL FAQ

1.Extended key usage must permit both TLS client and TLS server authentication.

2.Both the certificate and the CA chain are required, because NetBrain requires a full chain certificate.

3.Only the Base-64 encoded X.509 (.CER) format is supported.

4.Private key cannot be password encrypted and must be in the pkcs8 format.

Use a vi editor on Linux or Notepad++ on Windows to open your private key file, and make sure it looks exactly like this:

-----BEGIN PRIVATE KEY-----
xxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END PRIVATE KEY-----

If you see something like:

-----BEGIN PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END PRIVATE KEY-----

It means this key is encrypted and must be decrypted first.

openssl rsa -in ABCCompany.key -out ABCCompany.key.unencrypted

For example, if your company has a root CA and an intermediate CA, which means Level 3 cert chain is used.

You need to make sure there is 1 cert.pem file, 1 intermediate-ca.pem file and 1 root-ca.pem file. Each of them should look like:

-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxx
-----END CERTIFICATE-----

You also need to consolidate/merge all the separate CA files into a chain-ca.pem file. To do so, copy and paste the BEGIN CERTIFICATE – END CERTIFICATE section into a single file using Notepad++ or VI Editor.

The final chain-ca.pem file looks like:

-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxx
//content of the intermediate ca file
xxxxxxxxxxxxxxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxx
//content of the root ca file
xxxxxxxxxxxxxxx
-----END CERTIFICATE-----

▪The easiest way is to install Elasticsearch with SSL enabled.
Generally, if Elasticsearch can be installed successfully with SSL enabled, your certificate chain should be able to meet the requirements of all the other NetBrain components.

Note: HTTPS, which can be enabled on IIS of Web Server, is not covered here.

▪Another way is to check by running the following command on a Linux server:
openssl verify –verbose -CAfile CApath Certpath

Note: This command cannot ensure the installation on NetBrain will be successful.

[root@localhost pki-scripts]# openssl verify -verbose -CAfile ./ca/chain-ca.pem node.pem
node.pem: OK
[root@localhost pki-scripts]# 

The most common certificate format is “.PFX”, which usually includes private keys and certificates in X.509 format.

Use the following command to convert a PFX file, for example, pkcs12, into the one that NetBrain supports:

openssl pkcs12 –in ABCCompany.pfx -out netbrain.pem –nodes

During this converting process, you might be asked to input the passphrase of the PFX file. Check with your Network Administrator for more details.

The best way to verify your certificate chain is to install Elasticsearch first.

If the installation failed, check the elastic-search-cluster.log file under Elasticsearch’s installation directory to see if there is any error.

Generally, an error might be caused by:

▪incorrect cert or private key format

▪extended key usage TLS client does not permit client auth.

In these two cases, check with your CA server manager or IT staff to regenerate the required certificate chain and private key file.

Note: Try the new certificate chain and key file to make sure the elastic-search-cluster.log file does not generate the same error logs anymore.