Customize Certificate for Report Server / Log Server (WebCenter)

Is there any way to customize the certificate which is used for the WebCenter which hosts Report Server and Log Server?

The problem is that the certificate only contains the IP address but no DNS entry for "Subject Alternative Name".

What I found is that the file "C:\ProgramData\WatchGuard\wgca\wgca.ini" contains an entry "ExternalAddresses#1 = "XX.XX.XX.XX" which seems to be used for the SAN entry while generating an new cert. But there you can only specify an IP address and no DNS name. Is there any valid entry for specifying a DNS SAN entry in the ini file?

I don't know if replacing the cert altogether with one from custom PKI is possible. Certificate and key are located in "C:\ProgramData\WatchGuard\wsserver" and referenced in "C:\ProgramData\WatchGuard\wsserver\conf\httpd.conf". As it is based on Apache this is not a big deal, however as the certificates are auto generated I don't know if they get overwritten automatically someday in the future.

Best Answers

  • Options
    Answer ✓

    I believe that the cert is here: C:\ProgramData\WatchGuard\wrserver\certs
    And the conf file is here: C:\ProgramData\WatchGuard\wrserver\conf

    I think that you can follow the method shown here for replacing the auto-created cert:

    Import a custom certificate to the WatchGuard Quarantine Server

  • Options
    edited June 2021 Answer ✓

    The document you posted indeed also works for the Report Server. However the path to do the modifications is "C:\ProgramData\WatchGuard\wsserver" as I suspected previously. This can be verified by the "Listen" directive of the apache conf file which is "4130".

    "wrserver" is the instance which listens on Port "4122".

    One of the key points of the modifications IMHO is to store the custom cert and it's key under a different name, so that they will not get overwritten by the automatic cert generation.

    Again a big thanks for your help. Keep on with the valuable support here on the forum. IIRC I already saw you here a decade ago :)


Sign In to comment.