During the installation, the DLP API created its own self-signed certificate.
in most of the implementations, this will not be kept and will be replaced with the customer's CA-signed certificate, to allow trust in the server from other PCs or servers in the organization
To replace the original certificate with a CA-Signed one :
- Ask for the customer to create a certificate in certificate request format (CSR)
- Ask for the customer to sign this certificate with the organization's CA
- Ask for this certificate to be exported in cer+key format
- If for some reason the format needs conversion then perform the following steps in OpenSSL :
- openssl pkcs12 -in <full path of the pfx file> -nocerts -out certificate_temp.key
- openssl rsa -in certificate_temp.key -out certificate.key
- delete the certificate_temp.key file
- copy the certificate.key to the <OPSWAT Installation Directory>/nginx
- open cmd, navigate to the openssl installation folder and run the following command:
- openssl pkcs12 -in<full path of the pfx file> -clcerts -nokeys -out certificate.crt
- copy the certificate.cert to the destination on server
- After the certificate is ready in the wanted format we must name the files : dlpapi.crt and dlpapi.key
- On the DSI server navigate to the following directory: "[Drive:]\Program Files (x86)\Bulwarx\DLP Api\cert"
- Change the existing files
- From : dlpapi.crt and dlpapi.key
- To : dlpapi.crt.old and dlpapi.key.old
- Copy over the files dlpapi.crt and dlpapi.key that we created to the directory : "[Drive:]\Program Files (x86)\Bulwarx\DLP Api\cert"
- Open Services.msc -> Standard -> restart [Bulwarx DLP Api] service
- Open the website to confirm proper function, URL will be: https://servername.domain:8081 Do not try to surf to localhost as this will result in certificate error!
- Send a file to be Scanned to test the proper function of the system
- Check for proper certificate and that there are no errors.