Is CSAT Pro Compatible With .pfx or .cfx Certificates?
Product Name
CIS CSAT Pro (SecureSuite Controls Self Assessment Tool)
Product Version
All
Date
May 12, 2021
Problem
Can I use pfx or cfx SSL Certificates with CSAT Pro?
Solution
The CSAT Pro tool is meant to work with JKS certificates. It is possible to use other certificates, but it is only recommended to do so if you are familiar with SSL certificates and the Java trust store tool/command. Otherwise, please use a self-signed signed certificate.
For PFX Certificate
From the JAVA tool, import the PKCS certificate into the Java Keystore.
First, create an empty Keystore.
Open command window and type:
keytool -genkey -alias cis -keystore cis.jks
Enter the data that Keytool asks you for.
Import the .pfx into the Keystore you created using this command:
keytool -importkeystore -srckeystore cis.pfx -srcstoretype pkcs12 -destkeystore cis.jks -deststoretype JKS -alias csat
Enter the destination and source Keystore password.
Check if all of your certificates from pfx are imported into JKS.
keytool -list -keystore cis.jks -alias csat
Change the csat-config.yml as following to point to the jks file:
key-store: C:\Temp\cis.jks
Restart the CSAT_Pro Windows service
Some additional outside documentation on the matter - https://support.code42.com/Administrator/6/Configuring/Install_a_CA-signed_SSL_certificate_for_HTTPS_console_access
If you are still unable to access CSAT Pro, you may have to perform these additional steps.
Request the certificate. The request must contain a common name and alternative DNS FQDN name of a page you will use.
export the certificate in pfx12 format with the private key without CA chain
import the certificate in Keystore and convert it to jks format:
keytool.exe -importkeystore -srckeystore cis.pfx -destkeystore cis.jks -srcstoretype pkcs12 -deststoretype JKS
export CA and intermediate certs in base64 encoded x509 format
import CA and intermediate certs to Keystore:
keytool -importcert -alias root -file union.root.509.cer -keystore cis.jks
read jks file and find the alias for private key:
keytool -list -keystore cis.jks
write alias for the private key to csat-config.yml, write the password for keystore and password for privatekey
For a CER certificatete
First, create an empty Keystore (it actually creates a default entry):keytool -genkey -alias cis -keystore cis.jks
Then import your certificate into a Keystore with the following command:
Verify the certificate got imported into the jks
keytool -list -keystore cis.jks -alias csat
Then change the following properties accordingly to csat-config.yml:
Restart the CSAT or CSAT Windows service
Keywords; CSAT certificate SSL jkx pfx cfx
Content by Label