Key Management

CipherTrust Manager Web Interface Certificate Error

Reading time: 3 minutes

In this blog, we’ll discuss the issue faced while configuring the web interface on CipherTrust Manager.

Error

NET::CRR_CERT_INVALID

Description

Let’s consider that we have a CipherTrust Manager and want to configure the web interface using an external CA-generated certificate. As per the procedure, we’ll have to generate a CSR (Certificate Signing Request), upload the root and intermediate CAs on CipherTrust Manager, and then assign the externally signed certificate to the web interface.

Cause

The primary reason for this error is that the certificated signed by the external CA for the web interface of CipherTrust Manager has yet to be in an active state.

intermediate CAs on CipherTrust Manager

Solution

Let’s assume we are configuring a web interface certificate for thales01.ec.com. To resolve this error, please follow the below-mentioned steps

  1. Login to CipherTrust Manager. From the dashboard, click on CSR Tool under CA.

    CSR Tool under CA
  2. Click on + Create CSR and enter all the required information.

    CSR Info
  3. After verifying the information, click on Create.

  4. Save the private key as well as the CSR.

    RSA
  5. Send the CSR to the signing authority to create the signed certificate.

    Note: The preferred certificate format is PEM.

  6. Now, upload the Root and Intermediate CA Certificates. From the Dashboard, click External under the CA section.

    Root and Intermediate CA Certificates
  7. Click on + Add External CA.

    Add External CA
  8. Enter the Display name and paste the Root CA certificate in the box. Click on Save.

    Add External Certificate
  9. Perform similar steps for adding intermediate/issuing CA.

  10. Navigate to interfaces under admin settings.

    interfaces under admin settings
  11. Click on the … (3 dots) for web and select Edit.

    Interfaces
  12. Select “Turn off auto generation from Local CA” for Local CA for Automatic Server Certificate Generation.

    Local CA
  13. Add the Root CA and the Intermediate CA to the External Trusted CAs list.

    Root CA and the Intermediate CA
  14. Click on the arrow and expand the Upload Certificate option. Paste the entire certificate chain into the box.
  15. Select PEM on Format.
  16. Enter the Private Key Password (if required) created during the process of CSR generation.
  17. Click on Upload New Certificate. We have now successfully assigned an externally signed certificate to the web interface.
  18. Navigate to services under Admin settings.
  19. Click on System Restart

    CSR generation
  20. Once the services have been restarted, try to access the GUI of CipherTrust Manager by entering the hostname in the browser. If the error below appears, wait approximately 20-30 minutes for the certificate to get active and then refresh the page.

    intermediate CAs on CipherTrust Manager

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Yathaarth Swaroop is a Consultant at Encryption Consulting, working with PKIs, HSMs and working as a consultant with high-profile clients.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo