Hi All,
Is there anyone experiencing unsecure site error when accessing Web reports using chrome? How did you remediate it. Thanks
You’ll need to repleace the default self-signed certificate with a trusted certificate. If your company has an internal Certificate Authority you may use a certificate signed by them; otherwise you may purchase one from Digicert, Geotrust, or any number of other publicly-trusted authorities.
Instructions on configuring the Web Reports certificate are available at https://www.ibm.com/support/knowledgecenter/en/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Web_Reports/c_configuring_web_reports_for_ht.html
We renewed our Web Reports cert this morning. IE/Edge worked perfectly; Chrome blocked it saying that the website is using HSTS. We tried to clear that but had to put the old certs back in. This is because I didn’t select the option to send CT-Logs…still looking to confirm.
And to add because I’m frustrated… renewing or installing new certs on other services that I manage are pretty straightforward. It’s only the BigFix services where I have to go through involved processes (for each service; WebUI being the worst). This has to be improved.
The message about HSTS could be because of CT logs, but any other problem with the certificate (such as missing SubjectAltName, bad dates, untrusted issuer, etc.) could all give that message.
The idea is that if the server was previously configured for Host Strict Transport Security, the browser should not give an option to “ignore certificate problems and open the site anyway”, thr browser should just about the connection.
In that scenario I’m not even sure if this is an option, but try hitting F12 to bring up Developer Options in Chrome, amd see if the Security tab gives a better error message.
I agree that the certificate options should be easier…we use a mix of OpenSSL and Java keystores, but that complexity could be better abstracted in the tools. Unfortunately when using a web interface to configure these, if it goes wrong you get locked oht of the interface you’d need to fix it.
Thank you for your responses. We use Entrust. I resubmitted the cert, selecting the CT-Logs option, and now it works in Chrome. So that was the mistake here that I had made. Now on to WebUI, BFI, and BFC…
So renewing my WebUI cert will be a first for me. The WebUI is on its own server, not the BES. That being said, I want to confirm:
The two files needed (and I know how to build them) are ssl.crt and ssl.pvk. They are located in C:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI on the WebUI server. There is also an ssl.key file in there but I have no notes on where that came from.
My expectation is that I build my keys (which is its own process) then replace the two and restart the WebUI service. Does that sound right?
There are also some crt files in C:\Program Files (x86)\BigFix Enterprise\BES WebUI\cert (auth_cert.crt, auth_key.key, and ca.crt) but I’m sure where those came from.
I’ll check my notes, but check to see whether you are using ssl.pvk or ssl.key as your private key; I believe those are controlled via client settings on the WebUI host.
Don’t be shy about opening support tickets either when you want feedback on upgrade plans - you don’t have to wait to have a priblem to get support feedback or to have them on standby to help. Some time back I found it very helpful to open a ticket such as “I am upgrading a 9.2 DSA to 9.5 next week” and get feedback on my transition plan, and to make sure my friends on the support team were ready if I needed to call.
From my notes, WebUI uses the certificate and key files defined in the client settings
WebUIAppEnv_WEB_CERT_FILE
_WebUIAppEnv_WEB_KEY_FILE
By default they are ssl.crt and ssl.pvk. The pvk needs to be accessible without a password (not encrypted); perhaps ssl.key was a password-protected/encrypted key generated by Entrust, that you later converted to a clear key with OpenSSL or similar?
Sure but renewing certs should be easy. 
I follow this process for all certs:
Then I take nopwdkey.pem and rename to ssl.pvk.
Then from Entrust, I take ServerCertificate.cert, Intermediate1.cert, and Intermediate2.cert and combine them in that order to make ssl.crt.
Those are my two files.
That was one of my issues when setting this up originally. The instructions were based on installing the WebUI on the BES. Maybe not a big deal, but by installing it as a stand alone, some directory paths did not match the documentation. For example, I don’t even have those regkeys you list.
Ok you won’t need the client settings if you are using the default values, so it is definitely the ssl.crt and ssl.pvk that are in use.
I’m in total awe. I received my certs and built the ssl.crt using the three in the chain, replaced ssl.crt and ssl.pvk in C:\Program Files (x86)\BigFix Enterprise\BES WebUI\WebUI on the WebUI server, restarted the WebUI service, waited a few minutes anxiously for the page to display and it did. And the cert was updated. Amazing!
2 Likes