Is CSAT Pro Compatible With .pfx or .cfx Certificates?

Owned by Nick Romanzo, created
Last updated: Jun 30, 2021 by Chris Boldiston
2 min read

 

Product Name

CIS CSAT Pro (SecureSuite Controls Self Assessment Tool)

Product Version

All

Date

May 12, 2021

Problem

Can I use pfx or cfx SSL Certificates with CSAT Pro?

 

Solution

The CSAT Pro tool is meant to work with JKS certificates. It is possible to use other certificates, but it is only recommended to do so if you are familiar with SSL certificates and the Java trust store tool/command. Otherwise, please use a self-signed signed certificate.

For PFX Certificate

From the JAVA tool, import the PKCS certificate into the Java Keystore.

  • First, create an empty Keystore.

  • Open command window and type:

keytool -genkey -alias cis -keystore cis.jks

  • Enter the data that Keytool asks you for.

  • Import the .pfx into the Keystore you created using this command:

keytool -importkeystore -srckeystore cis.pfx -srcstoretype pkcs12 -destkeystore cis.jks -deststoretype JKS -alias csat

  • Enter the destination and source Keystore password.

  • Check if all of your certificates from pfx are imported into JKS.

keytool -list -keystore cis.jks -alias csat

  • Change the csat-config.yml as following to point to the jks file:

key-store: C:\Temp\cis.jks

  • Restart the CSAT_Pro Windows service

Some additional outside documentation on the matter - https://support.code42.com/Administrator/6/Configuring/Install_a_CA-signed_SSL_certificate_for_HTTPS_console_access

If you are still unable to access CSAT Pro, you may have to perform these additional steps.

  • Request the certificate. The request must contain a common name and alternative DNS FQDN name of a page you will use.

  • export the certificate in pfx12 format with the private key without CA chain

  • import the certificate in Keystore and convert it to jks format:

keytool.exe -importkeystore -srckeystore cis.pfx -destkeystore cis.jks -srcstoretype pkcs12 -deststoretype JKS

  • export CA and intermediate certs in base64 encoded x509 format

  • import CA and intermediate certs to Keystore:

keytool -importcert -alias root -file union.root.509.cer -keystore cis.jks

  • read jks file and find the alias for private key:

keytool -list -keystore cis.jks

  • write alias for the private key to csat-config.yml, write the password for keystore and password for privatekey

For a CER certificatete

First, create an empty Keystore (it actually creates a default entry):
keytool -genkey -alias cis -keystore cis.jks

  • Then import your certificate into a Keystore with the following command:

  • Verify the certificate got imported into the jks
    keytool -list -keystore cis.jks -alias csat

  • Then change the following properties accordingly to csat-config.yml:

  • Restart the CSAT or CSAT Windows service

Keywords; CSAT certificate SSL jkx pfx cfx

Content by Label

Copyright © 2020

Center for Internet Security®