IBM Support

How to replace AppScan Enterprise certificate with your own certificate

Question/Answer


Question

How do you replace AppScan certificates with your own signed certificate in IBM Security AppScan Enterprise version 9.0.1 and later?

Cause

The default AppScan Enterprise certificates might not be trusted in your company's browsers, and you would like to replace them with your own signed certificates to avoid users getting browser warnings that the certificate is not trusted.

Answer

Note: For certificates in AppScan Enterprise version 9.0.0.1 and older, consult How to replace the AppScan Enterprise certificate.

There are two places where certificates for AppScan Enterprise (version 9.0.1 and later) are applied:
- IIS
- Liberty server
Both places use the same host name, then the simplest way is to apply the same certificate in both places. Since they do not share the same certificate storage, you will need to create the certificate for one, then export it for the use in the other.

Note: If you have installed AppScan Enterprise Server only (such configuration is used together with the AppScan Source product), you apply the certificate to the Liberty server only. See the description at the bottom.


There are several ways to apply the certificate in AppScan Enterprise. The simplest way is to generate the certificate for IIS and install it in IIS first, then export it, and install it in Liberty. This method is described below, and in video Certificates in AppScan Enterprise/Source.

Install certificate in IIS
    1. Generate a Certificate Signing Request (CSR)
      • Open IIS and select the top level in the left side panel
      • Double-click Server Certificates
      • Click Create Certificate Request in the right side panel
      • For Common name, enter the most commonly used name of your server. Fill the other fields as well, even if they are optional. Click Next.
      • For Bit length, enter 2048. Click Next.
      • Give it a meaningful name, for example, mycompanyIIS and save it. The saved name will be "mycompanyIIS.perm"
    2. Send the request to your Certificate Authority
      Send the generated CSR (for example mycompanyIIS.perm) to your your Certificate Authority (CA) for signing.
    3. Import the certificate into IIS
      After receiving the signed certificate from your CA, import it to IIS as follows:
      • Open IIS and select the top level in the left side panel
      • Double-click Server Certificates
      • Click Complete Certificate Request in the right site panel
      • Browse to the certificate file, give Friendly name, and click OK.
    4. Bind the Certificate to the Web Server
      • Open IIS and select Default Web Site in the left side panel
      • Click Bindings in the right side panel
      • Select the https protocol and click Edit
      • From the SSL certificate pull down menu select the Friendly name from the certificate, and click OK.
Install certificate in Liberty
    1. Export the certificate in IIS
      • Open IIS and select the top level in the left side panel
      • Double-click Server Certificates
      • Highlight the imported certificate and click Export in the right site panel
      • In the Export to field, provide a file name (for example AppScanCertificateIIS.pfx).
      • Provide also a new password, and click OK.
    2. Import the certificate to Liberty
      Import the exported .pfx file to the Liberty server using the Configuration Wizard.
      • Start Configuration Wizard
      • In the Server Keystore dialog
        - select option Use a keystore containing a trusted certificate chain for this host and
        - from the pul down menu select Public Key Cryptography Standards #12 (PKCS #12)
        - browser to the .pfx file
        - give Keystore Password

    • Note: If you have an older version of AppScan Enterprise (version 9.0.1 or 9.0.2), the Configuration Wizard accept only a .jks format. To convert the .pfx format to .jks format use the iKeyman utility that comes with AppScan Enterprise, located in the AppScan installation folder (be default C:\Program Files (x86)\IBM\AppScan Enterprise\Liberty\jre\bin\ikeyman.exe).
      See this step in the following video: https://www.youtube.com/watch?v=9R-RbVKZnKc#t=9m22s



  •  
Install certificate in your browsers

In order to access AppScan Enterprise console with you browser, you need to install the root certificate in your browsers as follows:
    • Obtain the root and any intermediate certificate from your CA
    • Import the certificate into Windows and Firefox
      All browsers except FireFox use the Windows certificate storage. Then you need to install the certificate in Windows and Firefox separately.
      • In Windows:
        Click the certificate you want to install. In the Certificate dialog click Install Certificate.
      • In Firefox:
        Open Certificate Manager in Firefox, and click the Import button there.

Install certificate in AppScan Enterprise Server

If you use the AppScan Enterprise product with AppScan Source, you may have installed AppScan Enterprise Server only. In such configuration, you need to apply the certificate to the Liberty server only.
  1. Generate a CSR with iKeyman
    Generate a Certificate Signing Request using the iKeyman utility that comes with AppScan Enterprise, located in the AppScan installation folder (be default C:\Program Files (x86)\IBM\AppScan Enterprise\Liberty\jre\bin\ikeyman.exe).
    See this step in the following video: https://www.youtube.com/watch?v=9R-RbVKZnKc#t=11m31s
  2. Send the request to your Certificate Authority
    Send the generated CSR (for example mycompanyIIS.perm) to your your Certificate Authority (CA) for signing.
  3. Import the certificate to Liberty
    As described above in the Install certificate in Liberty fragment above.

 

Related information

How to import Signer Certificates into AppScan Enterpri

Document information

More support for: IBM Security AppScan Enterprise

Component: Installation: Liberty

Software version: 9.0.1, 9.0.1.1, 9.0.2, 9.0.2.1, 9.0.3, 9.0.3.1, 9.0.3.4

Operating system(s): Windows

Reference #: 1992178

Modified date: 06 May 2019