Hi Brandon
The Certifacte signing requirements for a large portion of browsers has recentaly changed, and because of this the orignal self signed version for the SDN Controller conflicts with these browsers minimum requirements. Here is the procedure for manually generating a new self signed certificate.
Bold Italic text is commands
Bold is Important notes
I have indented sample output
The following needs to be done as root hence( I am assuming the account your are using does have sudo premissions for root)
sudo service sdnc stop
Then the following needs to be done as the user which the sdn controller controller runs as(The user is the user sdn by default), since the truststore and keystore must be readable by that user.
Hint to become the user sdn us the following “sudo su – sdn”.
cd /opt/sdn/admin
ls -l *store*
sdn@ubuntu:~/admin$ ls -l *store*
-rw-r----- 1 sdn sdn 1319 Mar 20 14:53 keystore
-rw-r----- 1 sdn sdn 913 Mar 20 14:53 truststore
Note the permissions and ownership of the files
Here we generate a self-signed certificate with a validity period of 1780 days, after moving the old keystore and truststore away.
Note you need to use the password “skyline” below unless you have changed it. I have added it in for clarity in the commands below but it will not show when it is typed.
Leave the password for the key the same as the keystore password.
mv keystore keystore.orig
mv truststore truststore.orig
keytool -genkey -alias serverKey -keyalg rsa -keysize 2048 -keystore keystore -validity 1780
sdn@ubuntu:~/admin$ keytool -genkey -alias serverKey -keyalg rsa -keysize 2048 -keystore keystore
Enter keystore password: skyline
Re-enter new password: skyline
What is your first and last name?
[Unknown]: 192.168.181.135
What is the name of your organizational unit?
[Unknown]: SDNCOE
What is the name of your organization?
[Unknown]: HP
What is the name of your City or Locality?
[Unknown]: Amstelveen
What is the name of your State or Province?
[Unknown]: Noord-Holland
What is the two-letter country code for this unit?
[Unknown]: NL
Is CN=192.168.181.135, OU=SDNCOE, O=HP, L=Amstelveen, ST=Noord-Holland, C=NL correct?
[no]: y
Enter key password for <serverKey>
(RETURN if same as keystore password): Just press enter here
sdn@ubuntu:~/admin$
keytool -exportcert -keystore keystore -alias serverKey -file serverkey.cer
sdn@ubuntu:~/admin$ keytool -exportcert -keystore keystore -alias serverKey -file serverkey.cer
Enter keystore password:
Certificate stored in file <serverkey.cer>
sdn@ubuntu:~/admin$
ls -ltr
sdn@ubuntu:~/admin$ ls -ltr
total 15728
-rwxr-x--- 1 sdn sdn 462 Jan 29 12:46 uninstall-dpkg
-rwxr-x--- 1 sdn sdn 486 Jan 29 12:46 startup.sh
-rwxr-x--- 1 sdn sdn 1453 Jan 29 12:46 sdnpass
<SNIP>
-rw-rw-r-- 1 sdn sdn 2257 Apr 9 01:51 keystore
-rw-rw-r-- 1 sdn sdn 1088 Apr 9 01:52 sdn-server.csr
-rw-rw-r-- 1 sdn sdn 903 Apr 9 02:06 serverkey.cer
Note you need to use the password “skyline” below unless you have changed it. I have added it in for clarity in the commands below but it will not show when it is typed.
keytool -importcert -trustcacerts -keystore truststore -file serverkey.cer -alias CARoot
sdn@ubuntu:~/admin$ keytool -importcert -trustcacerts -keystore truststore -file serverkey.cer -alias CARoot
Enter keystore password: skyline
Re-enter new password: skyline
Owner: CN=192.168.181.135, OU=SDNCOE, O=HP, L=Amstelveen, ST=Noord-Holland, C=NL
Issuer: CN=192.168.181.135, OU=SDNCOE, O=HP, L=Amstelveen, ST=Noord-Holland, C=NL
Serial number: 54a39e23
Valid from: Thu Apr 09 01:51:25 PDT 2015 until: Wed Jul 08 01:51:25 PDT 2015
Certificate fingerprints:
MD5: 44:02:D6:58:C5:2A:2D:B5:F3:64:9B:40:6D:9B:1D:10
SHA1: C7:59:89:31:9D:79:C9:D5:3A:22:D7:36:C7:43:2D:1B:88:5B:54:5E
SHA256: E9:5D:1E:06:02:25:17:3F:C4:D9:97:C4:28:27:E6:87:2F:BC:B4:C9:E1:47:17:57:FF:33:1B:23:86:41:A5:B0
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 82 FD 72 7D 83 60 88 C0 DA 67 7D 6A 03 12 11 B7 ..r..`...g.j....
0010: 27 C7 EC D9 '...
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
sdn@ubuntu:~/admin$
As the user root hence, you might need to type “logout” here to switch to the account you usually log in which has sudo capbilities.
sudo service sdnc start
Kind Regards
Gerhard Roets
HP SDN COE Team
#ERR_SSL_VERSION_OR_CIPHER_MISMATCH#selfsigned#certificate#ssl_error_no_cypher_overlap