Skip to main content

You will most likely want to install your own certificate for the WiKIDAdmin interface. The cert is not related to the Intermediate and localhost certs and is only used for the WiKIDAdmin interface. These instructions will help you install your own certificate.

When you run 'wikidctl setup' for the first time, a self-signed certificate is created for the WiKIDAdmin web interface.   Obviously, we cannot generate a valid cert your domain nor can you use a wikidsystems.com cert.  Note that this cert is completely separate from the intermediate and localhost certs and that it only impacts the admins who login to the WiKID server (unless you are running some additional applications on the server like ADRegister). None of these certs affect the token cryptograghy.

Installing your own cert is quite simple.  The certificate is /opt/WiKID/conf/tomcatKeystore.  It is a p12 file, so you can create a p12 file (see https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html , give it that name and restart WiKID.  The file is speficied in /opt/WiKID/tomcat/conf/server.xml:

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
sslEnabledProtocols="TLSv1, TLSv1.2"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA"
keystoreFile="/opt/WiKID/conf/tomcatKeystore"
keystoreType="PKCS12" keystorePass="changeit"
clientAuth="false" />

If you have a wild card cert, here is the process we use.

First  you need to create a cert in a file format acceptable to tomcat such as pkcs12.   We have a wildcard certificate.  In order to create a pkcs12 file I had to combine the issuers intermediate cert (intermediate.crt with the certificate chain (/etc/ssl/certs/ca-bunde.crt for example).

# cat intermediate.crt /etc/ssl/certs/ca-bundle.crt > allcacerts.crt

 Then, create the keystore:

openssl pkcs12 -export -chain -CAfile allcacerts.crt -in yourdomain.crt -inkey yourdomain.key -out yourdomain.keystore -name tomcat -passout pass:changeit

Copy yourdomain.keystore to you WiKID server in /root and then to /opt/WiKID/conf/.

Edit /opt/WiKID/tomcat/conf/server.xml. The SSL connector should read:

      <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
                 maxThreads="150" scheme="https" secure="true" sslEnabledProtocols="TLSv1, TLSv1.2"
                 ciphers="TLS_RSA_WITH_AES_128_CBC_SHA"
                 keystoreFile="/opt/WiKID/conf/yourdomain.keystore"
                 keystoreType="PKCS12"  keystorePass="changeit"
                 clientAuth="false" />

 

Keywords:



 

Copyright © WiKID Systems, Inc. 2017 | Two-factor Authentication