Please note, this article does NOT apply to version 6.x of DualShield, as that version has its own built-in feature to renew the self-signed cert

Introduction

During the installation of the DualShield Authentication Server, the customer gets the option of getting a self-signed certificate created for them during setup. 


This option gives the opportunity for IT administrators to trial our product to see if they like it before they purchase a commercial certificate.

By default the Self-Signed CA and Server certificates had a validity period of 100 years, however, because of new security and compliance, some web browsers eg a recent update of Chrome or MFA applications such as VPN or authenticators such as Apple Push will not accept certificates with an expiry date so far in advance.  Recent versions of DualShield only create Self-Signed certs with a one-year expiry

Unfortunately, we have a small number of customers who are using self-signed certificates in a production environment.  The expiry date has caused issues.   This article is for the handful of customers where we may need to renew the certificate with a new expiry date.

Tools required

To renew the Self-Signed Server Certificate you will need to download a third-party tool called Keystore Explorer.

 

https://keystore-explorer.org/downloads.html

When launching Keystore Explore for the first time, you may be asked to install Java 1.8.  This may have already been shipped with DualShield.

You can check the version you have by opening a command prompt and typing the following commands..

cd C:\Program Files\Deepnet DualShield\jre\bin\

java.exe -version

If you do have version 1.8.0 or higher installed then you can run Keystore Explore using this version...

cd C:\Program Files (x86)\KeyStore Explorer

"C:\Program Files\Deepnet DualShield\jre\bin\java.exe" -jar kse.jar

Example screenshot of commands

If you have an older version of Java, then this will not work.  You will need to download and install the latest version of Java, however, KeyStore Explorer will prompt this when you attempt to launch from the shortcut icon.

Step-by-Step Guide on Updating the Server Certificate


File>New select PKcS #12  and Click OK

An Untitled KeyStore will appear

Right Click anywhere in the Untitled Key Store and select Generate Key Pair.


The Generate Key Pair Dialogue box will appear

Leave option as RSA

Check The Key Size  to make sure this matches the Publick Key of your existing certificate

Adjust the key size if necessary and click OK


Make sure the Signature Algorithm matches the value in the existing certificate

Set the validity period to the period in years you would like the new certificate to expire and click Apply

Click on the edit button next to Name

Specify the Common Name as the FQDN of your DualShield Server


(It is advisable to copy and paste the FQDN to avoid mistakes)

The other fields are optional.  Click OK

Click Add Extensions

Use Standard Template

Select SSL Server

Click the + button

Select Subject Alternative Name and click OK

Select DNS  and specify your DualShield FQDN once again.

Click OK, then OK to exit the Certificate Extention box.

Click Ok to exit it the Generate Key Pair box

 

Click OK

Enter a Key Pair Password

Click OK

Right Click on the new Key Pair and select Generate CSR

Click Browse to modify the name and file location and then hit Ok and  Ok. 

File>Open

Browse to C:\Program Files\Deepnet DualShield\jre\lib\security and open the file called cacerts

At the password prompt type changeit

Search for the key store entry called dualultimateca

Right-click on this entry and select Sign>Sign CSR

Enter changeit

Select the CSR file you had created in a previous step and click Open

Modify the Validity Period  then click on Apply

Click on Transfer Extensions then ok.

Go back to the new Key Store

Right Click on the key store entry and select  Import CA Repy>From File

Select the p7r response file


Right-click on the key store entry and select View Details>Certificate Chain Details

Make sure the Certificate Hierarchy at the top is correct and that the validity date for the new server certificate is also correct.

click OK

Click on File>Save

You will be prompted to set a Keystore password

Enter and confirm the new password and click OK

Then save as a PFX file


The certificate DualShield uses, is stored as a file called allinone.pfx  in the default location of C:\Program Files\Deepnet DualShield\certs  (or follow the path of where you installed DualShield Authentication Server)



You need to copy the newly created PFX file to this folder.



Open the server.xml file, which is  located in the folder: C:\Program Files\Deepnet DualShield\tomcat\conf\

Search the keyword 'allinone'

You should find the following text:


You will most likely have other lines in there such as as Cypher information... but the main feature we are looking for is  keystorePass. Make sure the password specified matches the one for the newly created pfx file.  If not you will need to update all occurrences of keystorePass within the server.xml file.   DualShield uses 5 ports from 8072 to 8076, therefore there are 5 occurrences of the certificate settings in the server.xml. You will need to change all of them in the same way.

In file explorer, go back to C:\Program Files\Deepnet DualShield\certs.  Rename the current allinone.pfx to allinone.OLD and then rename the New Certificate.pfx to allinone.pfx


Restart DualShield service.

Repeat this process for all machines you have DualShield Server installed on, including all front-end and back-end machines.