• Step 1: Generate CSR in Analytics -
  
  $ cd /opt/versa/scripts/van-scripts
  
  
  $ ./van-csr-gen.sh --domain analytics1.versa-networks.com \
  --country US --state CA \
  --organizationalunit IT --locality "San Jose" \
  --email lab@versa-networks.com \
  --organization Versa Networks \
  --keypass versa123
  
  
  
• The process of generating a CSR creates a public and private key on the Versa Analytics server in /opt/versa/var/van-app/certificates/certs/ directory. After the CSR is generated, you need to submit it to an external CA such as VeriSign, Thawte, Symantec, etc. to sign your certificate requests.
  
  There are many certification authorities to whom you can apply for getting your certificates signed. A CA should satisfy the following criteria:
  
  a) Allows freedom to deploy certificates on any number of servers.
  b) Provides an efficient certification management tool to manage all certificates.
  c) Provides technical support.
  d) Is a publicly trusted CA.\
  
  
  
• Step 2: Import CA signed certificate -
   
  1. Installing existing private key and CA-signed certificate on Versa Analytics Server
  
  2. Copy the CA signed certificate to /home/versa/
  
  3. Install the Certificate by using the below script. The CA signed cert could be in the form or .cer or .crt
  
  Eg:
   
  
  $ sudo /opt/versa/scripts/van-scripts/van-import-cert.sh \
  --key path-to-private-key-file \
  --cert path-to-signed-certificate-file \
  --keypass certificate-password \
  --cafile path-to-CA-certificate-file
  
  
   

Note : If customer certificate is signed by "Intermediate CA" then we need to combine "Root CA" and "Intermediate CA". You can identify it by seeing the Certificate > Certification Path as below. 

Eg: 

Save Root CA certificate and combine them - 

Select the Root CA Certificate in Certification Path > View Certificate > Details > Copy to file > Save the Certificate with 'Base-64 encoded X.509' file format. 

cat <Root-CA.crt> <Intermediate-CA.crt> > <CA.crt>        ------------>This command can be used in shell to merge Root and Intermediate CA certificates.

 →  If it succeeds then tomcat keystore file will be created under /opt/versa/var/van-app/certificates/certs/

 → Copy the "tomcat_keystore.jks" file to /opt/versa_van/apps/apache-tomcat-7.0.92/conf/ (check the installed apache-tomcat version).

→ Restart Versa Analytics services. (vsh restart)

→ Use below commands to verify the certificates and keys.

Private key and cert key md5 value should match:

openssl pkey -in <privateKey.key> -pubout -outform pem | sha256sum

openssl x509 -in <certificate.cer> -pubkey -noout -outform pem | sha256sum

Verify CA and CA signed certificate are matching:

openssl verify -verbose -CAfile <CA-certificate> <CA-signed-certificate>

By default, Analytics will Listen on port 8443, If we want to change the port, we should edit "catalina.properties" file under /opt/versa_van/apps/apache-tomcat-7.0.92/conf/

[versa@versa-analytics: conf] $  netstat -an | grep 443
tcp6 0 0 :::8443                 :::*                    LISTEN

[versa@versa-analytics: conf] $  sudo vi catalina.properties

tomcat.port=8080
tomcat.secure.port=443
tomcat.address=0.0.0.0

Then again restart Versa Analytics services. (vsh restart), Then you should be able to see port 443 Listen on Analytics. 

[versa@versa-analytics: conf] $  netstat -an | grep 443
tcp6 0 0 :::443                 :::*                    LISTEN