Please note, this article does NOT apply to version 6.x of DualShield, as that version has its own built-in feature to renew the self-signed cert
During the installation of the DualShield Authentication Server, the customer gets the option of getting a self-signed certificate created for them during setup.
This option gives the opportunity for IT administrators to trial our product to see if they like it before they purchase a commercial certificate.
By default the Self-Signed CA and Server certificates had a validity period of 100 years, however, because of new security and compliance, some web browsers eg a recent update of Chrome or MFA applications such as VPN or authenticators such as Apple Push will not accept certificates with an expiry date so far in advance. Recent versions of DualShield only create Self-Signed certs with a one-year expiry
Unfortunately, we have a small number of customers who are using self-signed certificates in a production environment. The expiry date has caused issues. This article is for the handful of customers where we may need to renew the certificate with a new expiry date.
To renew the Self-Signed Server Certificate you will need to download a third-party tool called Keystore Explorer.
When launching Keystore Explore for the first time, you may be asked to install Java 1.8. This may have already been shipped with DualShield.
You can check the version you have by opening a command prompt and typing the following commands..
cd C:\Program Files\Deepnet DualShield\jre\bin\ java.exe -version
If you do have version 1.8.0 or higher installed then you can run Keystore Explore using this version...
cd C:\Program Files (x86)\KeyStore Explorer "C:\Program Files\Deepnet DualShield\jre\bin\java.exe" -jar kse.jar
Example screenshot of commands
If you have an older version of Java, then this will not work. You will need to download and install the latest version of Java, however, KeyStore Explorer will prompt this when you attempt to launch from the shortcut icon.
Step-by-Step Guide on Updating the Server Certificate
File>New select PKcS #12 and Click OK
An Untitled KeyStore will appear
Right Click anywhere in the Untitled Key Store and select Generate Key Pair.
The Generate Key Pair Dialogue box will appear
Leave option as RSA
Check The Key Size to make sure this matches the Publick Key of your existing certificate
Adjust the key size if necessary and click OK
Make sure the Signature Algorithm matches the value in the existing certificate
Set the validity period to the period in years you would like the new certificate to expire and click Apply
Click on the edit button next to Name
Specify the Common Name as the FQDN of your DualShield Server
(It is advisable to copy and paste the FQDN to avoid mistakes)
The other fields are optional. Click OK
Click Add Extensions
Use Standard Template
Select SSL Server
Click the + button
Select Subject Alternative Name and click OK
Select DNS and specify your DualShield FQDN once again.
Click OK, then OK to exit the Certificate Extention box.
Click Ok to exit it the Generate Key Pair box
Enter a Key Pair Password
Right Click on the new Key Pair and select Generate CSR
Click Browse to modify the name and file location and then hit Ok and Ok.
Browse to C:\Program Files\Deepnet DualShield\jre\lib\security and open the file called cacerts
At the password prompt type changeit
Search for the key store entry called dualultimateca
Right-click on this entry and select Sign>Sign CSR
Select the CSR file you had created in a previous step and click Open
Modify the Validity Period then click on Apply
Click on Transfer Extensions then ok.
Go back to the new Key Store
Right Click on the key store entry and select Import CA Repy>From File
Select the p7r response file
Right-click on the key store entry and select View Details>Certificate Chain Details
Make sure the Certificate Hierarchy at the top is correct and that the validity date for the new server certificate is also correct.
Click on File>Save
You will be prompted to set a Keystore password
Enter and confirm the new password and click OK
Then save as a PFX file
You need to copy the newly created PFX file to this folder.
Open the server.xml file, which is located in the folder: C:\Program Files\Deepnet DualShield\tomcat\conf\
Search the keyword 'allinone'
You should find the following text:
You will most likely have other lines in there such as as Cypher information... but the main feature we are looking for is keystorePass. Make sure the password specified matches the one for the newly created pfx file. If not you will need to update all occurrences of keystorePass within the server.xml file. DualShield uses 5 ports from 8072 to 8076, therefore there are 5 occurrences of the certificate settings in the server.xml. You will need to change all of them in the same way.
In file explorer, go back to C:\Program Files\Deepnet DualShield\certs. Rename the current allinone.pfx to allinone.OLD and then rename the New Certificate.pfx to allinone.pfx
Restart DualShield service.
Repeat this process for all machines you have DualShield Server installed on, including all front-end and back-end machines.