Manually Generating and Uploading User Certificates

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

General

Manually Generating and Uploading User Certificates

Most widely-used browsers do not readily support in-browser generation and storage of user certificates. If you want to use certificate-based user authentication with these browsers, this section provides additional information about generating and, if necessary, uploading those certificates.

Overview
Step 1: Preliminaries
Step 2: Generate and Install User Certificate

Overview

By default, the majority of widely-used browsers are configured to disable the keygen tag, meaning that key pairs cannot be generated in these browsers and so they do not readily support in-browser generation and storage of user certificates.
These browsers include Chrome, Edge, Safari, and (recent) Firefox.

With this default configuration, the Generate and Save Certificate button on the User Certificates page is disabled.

If the keygen tag is enabled, you will instead see a download notification for the certificate at the bottom of your page. Note, however, that this download does not include the private key, so is not sufficient for authentication.

screenshot: Notification that keygen is disabled

Step 1: Preliminaries

Before attempting to set up user certificates, make sure you have:

read the manual section on Certificates, and
used the the Configure HTTPS page to configure the hub to use HTTPS and set up a hub client authentication certificate.

Step 2: Generate and Install User Certificate

You can generate user certificates from the command line with codesonar generate-hub-cert. This command requires authentication from a user with suitable permissions. You can either authenticate interactively, or specify additional authentication arguments to the command.

Important Note: You will need to generate and convert the certificate on a machine that has CodeSonar installed. This does not have to be the same machine, or even have the same operating system, as the one on which you use the certificate.

For example, for user Alex on the hub at https://hubmachine:7340:

If you have not already done so, sign on to a machine where CodeSonar is installed.
Note: If you do not have access to such a machine, you will need to ask a hub administrator in your organization to generate the usercert.pfx file for you.
Run the following command to generate the user certificate and key in your working directory.
codesonar generate-hub-cert -foruser Alex https://hubmachine:7340 -out cert.pem -outkey key.pem

Use the appropriate openssl command from this table to convert the certificate and key into a suitable format for importing into your browser. If you don't have openssl installed locally, use $CSONAR/third-party/openssl/inst/bin/openssl (openssl.exe on Windows).

Windows	openssl.exe pkcs12 -export -out usercert.pfx -in cert.pem -inkey key.pem If openssl.exe outputs an "unable to write 'random state'" error message, see the troubleshooting notes below.
otherwise	openssl pkcs12 -export -out usercert.pfx -in cert.pem -inkey key.pem

Are you using the certificate on a different machine to the one where you generated and converted it?
- NO: Go on to the next step.
- YES:
  1. Sign in to the machine where you want to use the certificate.
  2. Copy the usercert.pfx file you created in step 2 to this machine.

Open the user certificate management utility for your browser, as follows.

Chrome	Perform the following steps in the browser. Open URL chrome://settings Scroll down to the Privacy and security section and click the Manage certificates link. (If the Privacy and security section is not displayed, scroll to the bottom of the Settings page and click Advanced.) Chrome will display a certificate management utility that depends on your operating system. Windows: a Certificates dialog. Otherwise: a Certificate Manager dialog.
Edge	Run the following at a command prompt to open the Windows Certificate Manager. certmgr.msc
Firefox	Perform the following steps in the browser. Click the menu button (3 horizontal lines) and select Options (in some Firefox versions, the menu item is called Preferences). Click Privacy & Security in the left pane and scroll down to the Certificates section. Click View Certificates... Firefox will open a Certificate Manager window.
Safari	Start from your desktop. Click Go in the Finder menu and select Utilities. Double click Keychain Access in the Utilities folder. Select the login keychain and the My Certificates category. Click File in the Keychain Access menu and select Import Items....
Other browsers	Consult your browser documentation.

Use the certificate management utility to import the usercert.pfx file you created in step 2.
(On Windows, place the certificate in the Personal store.)

You will now be able to use the certificate and private key to sign in to the hub when you are browsing with the corresponding browser.

Troubleshooting

[Windows only] If the openssl.exe command outputs an "unable to write 'random state'" error message, do one of the following.

Run the openssl.exe command with elevated system privileges (for example, in a cmd instance that was started with "Run as administrator").
If you are unable to use an elevated command prompt, set environment variable RANDFILE to a file for which you have read and write permission and then run the openssl.exe command. For example, at a command prompt (cmd):
set RANDFILE=.rnd
openssl.exe pkcs12 -export -out usercert.pfx -in cert.pem -inkey key.pem

To report problems with this documentation, please visit https://support.codesecure.com/.