Versions Compared

Old Version 7

changes.mady.by.user Allan Cornwell

Saved on

compared with

New Version 8

changes.mady.by.user Allan Cornwell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Product Name

CIS-CAT Pro Dashboard

Product Version

3.0.0+

Date

CIS-CAT Pro Dashboard v3 supports the following two file types / formats for organizational certificates:

Below are some potential challenges encountered when applying these to the application, and suggested solutions.

Frequently Asked Questions

Table of Contents
minLevel3
maxLevel4

My certificate is not in .p12 or .jks format, how do I proceed?

If your current certificate includes a Private Key, you may be able to convert it into .p12 / .jks format. As the CIS Product Support team cannot assist with organizational certificate conversions, please contact your certificate provider (such as DigiCert) or administrator for further assistance.

How do I identify the “Alias” of my Organizational Certificate?

The certificate Alias can be shown using the Java keytool, which is installed by default with any JRE/JDK, and a copy of which can be found in the Dashboard \jre\bin\ directory. Run the following command from an elevated command prompt:

keytool -v -list -keystore C:\certs\mycert.jks
(where C:\certs\mycert.jks is the path to your .p12 or .jks certificate)

The output will show the Alias under “Alias name”:

In this example, the Alias name is “db31cert”.

Info

Java Keystore can have multiple Aliases contained in a single file. Ensure you are using the correct Alias matching your intended certificate.

Chrome marks Dashboard as “Not Secure” and returns an “ERR_CERT_COMMON_NAME_INVALID“

error

or “Subject Alternative Name Missing“ Error

The ERR_CERT_COMMON_NAME_INVALID SSL error can occur with a valid and non-expired certificate if it does not contain a SAN (Subject Alternative Name), which Google Chrome requires with for all newer browser versions. You can view the exact certificate error details by opening the Dashboard page in Chrome, then accessing Developer Tools (Control + Shift + I on Windows) and selecting the “Security” tab.The below Digicert resource explains what this record is and how to check for it

The DigiCert page linked below includes further details on this record:
https://www.digicert.com/faq/subject-alternative-name.htmThis StackOverflow thread deals with the topic and offers several methods on remedying it during certificate creation:
https://stackoverflow.com/questions/43665243/invalid-self-signed-ssl-cert-subject-alternative-name-missing

You can view the certificate rejection cause by opening your Dashboard webpage in Chrome, then accessing Developer Tools (Control + Shift + i on Windows) and selecting the "Security" tab.

Image Added

Importing a .p12 Certificate to the Java Trust Store returns “Not an X.509 Certificate“

This error can occur if the .p12 file is encrypted with a password and its content cannot be read. To have the Java keytool prompt you for the source keystore password, use the following command:

Code Block
keytool -v -importkeystore -srckeystore C:\certs\mycert.p12 -srcstoretype PKCS12 -destkeystore "C:\Program Files\CCPD\jre\lib\security\cacerts" -deststoretype JKS

  • -srckeystore is the path to your .p12 certificate to be imported (in this example, C:\certs\mycert.p12)

  • -destkeystore is the path to your Dashboard cacerts keystore, typically found in \jre\lib\security\

This command will prompt for the destination Dashboard keystore password (which is changeit by default), followed by your source keystore password.

Content by Label

Filter by label (Content by label)
showLabelsfalse
showSpacefalse
cqllabel = "sbp_fer"

Copyright © 2020

Center for Internet Security®

Privacy Policy

Page Properties
hiddentrue

Action

Name(s)

Date

Linked ticket

Created by

Reviewed by

Approved by

Remove by