Skip to main content

FSAA Manual Certificate Configuration

To create and store the certificates needed to set up FSAA scans using manual certificate exchange, use the FSAACertificateManager.exe tool. The FSAACertificateManager.exe tool is located in the StealthAUDIT\PrivateAssemblies\FILESYSTEMACCESS\Applet directory. All commands in the tool are case-sensitive.

Follow the steps to use the tool to create and store the required certificates.

NOTE: In these steps, some commands need to be run on the Access Analyzer console and some on the Proxy host. In the provided example commands:

  • All files that are generated by the Certificate Manager or copied to the Access Analyzer console are placed in the %SAInstallDir%\PrivateAssemblies\FILESYSTEMACCESS\Applet\My Certificates directory. This folder is created by the tool if it does not already exist.
  • When operating on the proxy host, files are placed into the root of the FSAA folder

Remember, all commands in the FSAACertificateManager.exe tool are case-sensitive.

Step 1 – Create a Certificate Authority (CA). The CA is a self signed certificate that will be used to sign the client and server certificates. On the Access Analyzer console, run the following command:

.\FSAACertificateManager.exe -createCertificate -subjectDN CN=FSAA CA NEAConsole.my.domain.com -purpose CertificateAuthority -friendlyName FSAA_CA -outputPath ".\My Certificates" -name MyFSAACA
  • Replace the Common Name (CN) in this example command (FSAA CA NEAConsole.my.domain.com) with a unique and descriptive name
  • The output file is stored at the specified output path .\My Certificates

The following message is returned when the command completes successfully:

Successfully wrote certificate to .\My Certificates\MyFSAACA.pfx

Step 2 – Create a client certificate using the CA from the previous step. On the Access Analyzer console, run the following command:

.\FSAACertificateManager.exe -createCertificate -issuer ".\My Certificates\MyFSAACA.pfx" -subjectDN CN=NEAConsole.my.domain.com -purpose ClientAuth -subjectAlternativeNames NEAConsole -friendlyName FSAA_Client_Auth -outputPath ".\My Certificates" -name MyFSAAClientCert
  • Replace the CN (NEAConsole.my.domain.com) with the fully qualified domain name (FQDN) of your Access Analyzer console
  • Replace the alternate subject name (NEAConsole) with the short name for the Access Analyzer console
  • The output file is stored at the specified output path .\My Certificates

The following message is returned when the command completes successfully:

Successfully wrote certificate to .\My Certificates\MyFSAAClientCert.pfx

Step 3 – Store the CA in an FSAA managed certificate store. As the user that runs the Access Analyzer console, run the following command on the Access Analyzer console:

.\FSAACertificateManager.exe -storeCertificate -certificate ".\My Certificates\MyFSAACA.pfx" -store CertificateAuthority -location CurrentUser

The following message is returned when the command completes successfully:

Successfully added FSAA_CA to CertificateAuthority

Step 4 – Store the client certificate in an FSAA managed certificates store. As the user that runs the Access Analyzer console, run the following command on the Access Analyzer console:

.\FSAACertificateManager.exe -storeCertificate -certificate ".\My Certificates\MyFSAAClientCert.pfx" -store Client -location CurrentUser

The following message is returned when the command completes successfully:

Successfully added FSAA_Client_Auth to Client

Step 5 – Convert the CA from a PFX file to a CER file. On the Access Analyzer console, run the following command:

NOTE: This conversion to a CER file is necessary so that the private key of the CA is not shared.

.\FSAACertificateManager.exe -createCER -certificate ".\My Certificates\MyFSAACA.pfx" -outputPath ".\My Certificates" -name MyFSAACA

The following message is returned when the command completes successfully:

Successfully wrote CER certificate to .\My Certificates\MyFSAACA.cer

Step 6 – Copy FSAACertficateManager.exe and the CA CER file (.\My Certificates\MyFSAACA.cer) to the proxy host that will be running FSAAAppletServer.exe. These files must be copied to the same directory.

NOTE: These copied files will be deleted from the destination directory later in Step 12.

Step 7 – Generate the server certificate signing request and key on the Proxy host. On the proxy host, run the following command out of the FSAA folder where the FSAACertificateManager.exe was copied to:

.\FSAACertificateManager.exe -createCertificateSigningRequest -subjectDN CN=proxy01.my.domain.com -subjectAlternativeNames Proxy01 -outputPath . -name Proxy01
  • Replace the CN (proxy01.my.domain.com) with the FQDN of the proxy host
  • Replace the alternate subject name (proxy01) with the short name for the proxy host
  • The generated certificate signing request and key are stored in the same directory as FSAACertificateManager.exe on the proxy host

The following message is returned when the command completes successfully:

Successfully wrote certificate signing request to .\Proxy01.csr
Successfully wrote certificate key to .\Proxy01.key

Step 8 – Store the CA on the proxy host in an FSAA managed certificate store. As the user that runs the proxy scanner (FSAAAppletServer.exe), run the following command on the proxy host:

.\FSAACertificateManager.exe -storeCertificate -certificate .\MyFSAACA.cer -store CertificateAuthority -location CurrentUser

The following message is returned when the command completes successfully:

Successfully added FSAA_CA to CertificateAuthority

Step 9 – Complete the server certificate signing request on the Access Analyzer console. Copy the CSR file from the proxy host to the My Certificates directory on the Access Analyzer console (where the original CA PFX file is located), then run the following command on the Access Analyzer console:

.\FSAACertificateManager.exe -completeCertificateSigningRequest -certificateSigningRequest ".\My Certificates\Proxy01.csr" -purpose ServerAuth -issuer ".\My Certificates\MyFSAACA.pfx" -days 365 -outputPath ".\My Certificates" -name Proxy01

The following message is returned when the command completes successfully:

Successfully completed certificate signing request to .\My Certificates\Proxy01.cer

Step 10 – Store the server certificate on the proxy host in an FSAA managed certificate store. Copy the Proxy CER file back to the proxy host from the Access Analyzer console. Then, as the user that runs the proxy scanner (FSAAAppletServer.exe), run the following command on the proxy host:

.\FSAACertificateManager.exe -storeCertificate -certificate .\Proxy01.cer -key .\Proxy01.key -friendlyName FSAA_Server_Auth -store Server -location CurrentUser

The following message is returned when the command completes successfully:

Successfully added FSAA_Server_Auth to Server

Step 11 – Repeat Steps 6-10 for each proxy host.

Step 12 – Delete all the PFX, CER, and Key files that were generated or copied in the above steps from the output locations.

All of the required FSAA certificates have been stored in the FSAA managed certificate stores. The FSAA queries need to be configured to use the Manual certificate exchange option. This option can be found under Applet Settings in the FSAA Data Collector Wizard. See the FSAA: Applet Settings topic for additional information.

For additional information on how to use the FSAACertificateManager.exe tool, run the .\FSAACertificateManager.exe -help command.