Installing CA Certificates on Enterprise Agents
Enterprise Agents which perform Web Layer tests to targets protected by SSL/TLS (a target URL beginning with https://, ftps://, or ftp:// when using implicit-mode SSL/TLS) must validate the SSL server digital certificate and any intermediate certificates returned by the server or fetched by the client. Additionally, Enterprise Agents perform configuration download and data upload to ThousandEyes servers using TLS. Certificate validation requires that the sequence of certificates “chain” via digital signature back to the trusted root certification authority (CA) certificate that signed the previous certificate in the chain. As with most browsers and operating systems, ThousandEyes Enterprise Agents are pre-loaded with the standard X.509 CA certificate store of root CA certificates, which is provided by the Mozilla NSS project.
In some environments, the certificate(s) returned by the server do not chain back to a CA certificate in the standard certificate store, causing Web Layer tests to produce certificate errors and/or the administrative communication to ThousandEyes to fail. To avoid the errors, customers can add any needed certificates to an Enterprise Agent’s certificate store. The steps to add certificates vary, depending on the type of Enterprise Agent.
Adding root CA certificates cannot be performed on Cloud Agents, due to the shared nature of Cloud Agents. Endpoint Agents are installed on standard operating systems which the customer controls, including control of the certificate stores.
When to add certificates to an Enterprise Agent
When any Web Layer test (HTTP Server test, Page Load test, Transaction test or FTP Server test) or administrative communication from the Agent to ThousandEyes produces a certificate error, review the following scenarios to determine whether a root CA certificate must be added to the Enterprise Agent’s certificate store.
Certificates are issued by a private root CA certificate (internal PKI)
Organizations which run their own public key infrastructure (PKI) will issue their own SSL server certificates, intermediate certificates (if any), and root CA certificate(s) which will not be included in the standard Mozilla root certificate store. The root CA certificate that issued certificates on servers that are the targets of ThousandEyes tests must be added to the Enterprise Agent.
Decrypting proxy server
If an Enterprise Agent is explicitly configured to use a proxy or if an Agent's web traffic is captured by a transparent proxy (a proxy that does not require configuration of the client) and the proxy performs SSL/TLS decryption, then the proxy's signing certificate(s) must be added to the Enterprise Agent. Proxy servers which decrypt and inspect data carried by SSL/TLS use a signing certificate to rewrite server certificates. Typically, the proxy signing certificate is not issued by one of the certificates in the standard certificate store. Often, the proxy software generates this certificate. The decrypting proxy scenario affects both ThousandEyes Web Layer tests and Agent communication to ThousandEyes.
Self-signed SSL server certificate
A self-signed SSL server certificate will not chain back to a root CA certificate in the Enterprise Agent's standard certificate store. If correctly created, a self-signed certificate can be added to the Enterprise Agent's certificate store to eliminate certificate errors when the Agent performs tests to the server with the self-signed certificate.
Additionally, if the target of the test does have certificates issued by a Certificate Authority whose root certificate is in the Agent's certificate store, but the target server does not return all needed intermediate certificates, and the customer cannot add the missing certificates on the server, then the intermediate certificate(s) can be added to the Enterprise Agent’s certificate store to create the “trust anchor” other than the root CA certificate. However, the customer should take great care in ensuring the veracity of any intermediate certificates, and understand and accept the impact the new trust anchor could have on other tests or aspects of the Agent operation, either in the present or in the future. ThousandEyes does not recommend adding intermediate certificates to an Enterprise Agent's certificate store.
Converting certificates into PEM format
To add a CA certificate to an Enterprise Agent, the certificate file must be in PEM format. This format can easily be recognized by viewing the file:
If your CA certificate is in a format other than PEM format, either use one of the free online certificate converters (link #1, link #2 or link #3), or use the commands below to convert your CA certificate into PEM format with the openssl
command line utility.
Convert a DER file (.crt, .cer or .der) to PEM format:
Convert a PKCS#12 file (.pfx or .p12) to PEM format:
Installing on Virtual Appliances
Log into the Virtual Appliance's web management console, and click on the Network tab:
In the CA Certificate section, either paste the CA certificate into the Add CA Certificate field or browse to your PEM-formatted certificate file:
If pasting, ensure that whole certificate is pasted into the field, including the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" markers at the beginning and end of the certificate.
Multiple CA certificates may be installed by copying and pasting each certificate, concatenating the certificates in the Add CA Certificate field:
Click the Save button at the bottom of the page to complete the operation.
Installing on supported Linux Distributions
When installing CA certificates on supported Linux distributions with the Enterprise Agent, CA certificates must be installed in two locations:
The system's CA certificate store
The NSSDB certificate store in the .pki/nssdb sub-directory of BrowserBot's home directory /var/lib/te-browserbot
All commands should be executed as root. If logging into the system as a non-privileged user, begin each command with sudo.
The instructions below are provided in two sections for the two sets of supported Linux distributions: 1) Ubuntu and 2) Red Hat Enterprise Linux, CentOS and Oracle Linux. These instructions use the example certfile filename MY-CA-CERT.pem.
Ubuntu
Install the required packages for managing CA certificates:
Copy the certfile file (in PEM format; see above for conversion information) into the /usr/share/ca-certificates directory of the Enterprise Agent:
Open the /etc/ca-certificates.conf file in a text editor:
Append a line containing only the certfile filename to the end of the file:
Multiple certificate files can be added using multiple lines.
Update the system certificate store using the update-ca-certificates
command, as shown below, with successful output:
The system CA certificate store now contains your CA certificate(s).
For BrowserBot, first create the directory that will contain the certificate store:
Initialize the certificate store in directory created above:
Add the CA certificate into the newly created certificate store:
Change both the owner and the group of all newly created files and directories to browserbot:
Restart the te-browserbot service:
Red Hat Enterprise Linux, CentOS and Oracle Linux
Install the required packages for managing CA certificates:
Copy the certfile file (in PEM format; see above for conversion information) into the /etc/pki/ca-trust/source/anchors/ directory of the Enterprise Agent:
Update the system certificate store using the update-ca-trust command:
The system CA certificate store now contains your the CA certificate.
For BrowserBot, first create the directory that will contain the certificate store:
Initialize the certificate store in the directory:
Add the CA certificate to the newly created certificate store:
On RHEL/CentOS 7 only, change both the owner and the group of all newly created files and directories to browserbot. On RHEL/CentOS 6 this step must be skipped:
Restart the te-browserbot service:
Alpine
Copy the certfile file (in PEM format; see above for conversion information) into the /usr/share/ca-certificates directory of the Enterprise Agent:
Append a line containing only the certfile filename to the end of the /etc/ca-certificates.conf file:
Multiple certificate files can be added using multiple lines.
Update the system certificate store using the update-ca-certificates
command:
The system CA certificate store now contains your CA certificate(s).
Installing on Docker
The Enterprise Agent Docker image is based on Alpine Linux. To install CA certificates on a Docker Enterprise Agent, follow the instructions for Installing on Alpine.
IMPORTANT: If you replace the Enterprise Agent container, CA certificates will need to be reinstalled in the system store.
Docker-based Enterprise Agents can be quickly reinstalled by removing the existing container with the docker rm
command and redeploying the container by running the same docker run
command that was used for initial container creation. Provided that the directories on the host created with the -v
or --volume
flag from the docker run
command are not removed after docker rm
is executed, and that those state directories are reused during the second docker run
command execution, the replacement Enterprise Agent will retain the identity and general configuration of the previous container. However, replacing the container in this manner will not retain your CA certificates in the system store. The certificates will need to be reinstalled for the system store using the process described in the Installing on Alpine section. The certificates installed for the NSSDB/BrowserBot store will be retained, so customers do not need to re-add the certificate(s) to the NSSDB certificate store.
Installing on Cisco Docker Devices
Starting with Cisco Application Hosting 5.0, Cisco Enterprise Agents will use apk instead of apt for auto-updates
To install a CA certificate on a Cisco Docker Device:
Ensure your Docker configuration includes the SSL decrypting proxy location before running the Docker:
If the proxy configuration is missing, stop and deactivate the application. Edit the configuration as needed, then activate and restart the application. For more information on the steps to stop/start the application, see the Lifecycle of an Application section of the Cisco documentation.
Ensure the container is in the RUNNING state:
Connect to the container shell:
Confirm that the agent registration fails due to the proxy requiring a CA certificate in the agent logs:
You can also use the curl command, replacing the proxy and port variables:
If there is no certificate, you will see output similar to the example below:
The expected response is “404 Not Found”, validating that while the agent still needs a CA certificate, it does have access to the Internet through proxy.
Create a CA certificate file in /usr/share/ca-certificates:
Option One: Manually create the file, and add the PEM content:
Create a new PEM file in the following location:
Copy and paste your PEM file content, and save the changes.
Transfer the PEM certificate:
Copy the PEM file to the switch’s flash directory using SCP, FTP, TFTP, or USB storage:
Transfer the file to the application:
Files transferred from the switch to the application are stored in the /iox_data/appdata directory. This folder is created inside the container once the application is running. You will need to move the file to the correct location after it is transferred:
Note: Files can only be transferred from the switch to the application and not vice versa.
Warning: While files stored in /ios_data/appdata persist, if the container is deactivated or reloaded, any certificates will be removed, and the step above will need to be repeated, along with the rest of the instructions below.
Append the name of the created CA certificates file in /etc/ca-certificates.conf:
Execute the command update-ca-certificates and wait for a successful output:
Uninstall the cisco-core-trsb service. This step is only required for Cisco Agents:
Restart the te-agent service:
Check the agent log and make sure the previous curl error from step 4 disappears. If it no longer appears, the CA certificate has been installed correctly.
The CA certificate is now installed. If the agent uses browserbot, continue to the next section to import the certificate into the browserbot store.
Import the Certificate into the BrowserBot Store
The following steps should be completed after the previous instructions (Installing on Cisco Docker Devices), to import the certificate to the browserbot store:
Install the Certutil tool:
Create the directory that will contain the certificate store:
Initialize the certificate store in the new directory:
Add the CA certificate into the newly created certificate store:
Change both the owner and group of all newly created files and directories to browserbot:
Restart the te-browserbot service:
Last updated