Marriott Enrollment Server for Web User Guide · Page 1 of 31 MARRIOTT ENROLLMENT SERVER FOR WEB Marriott Enrollment Server for Web User Guide V1.6 10/17/2017

Page 1 of 31

MARRIOTT ENROLLMENT SERVER FOR WEB

Marriott Enrollment Server for Web

User Guide V1.6 10/17/2017

Page 2 of 31


Table of Contents

TABLE OF CONTENTS ................................................................... 2

OVERVIEW ............................................................................... 3 INTRODUCTION ................................................................................................ 3 HIGH LEVEL STEPS: WHAT TO EXPECT .................................................................... 3

PREREQUISITES ....................................................................... 5 ADMINISTRATIVE ACCESS .................................................................................... 5 RNACS ......................................................................................................... 5 SUPPORTED BROWSERS ...................................................................................... 5

DOWNLOADING USING INTERNET EXPLORER .......................... 6 SSL BROWSER CERTIFICATE REQUEST – IE .............................................................. 6 SSL PKCS#10 CERTIFICATE REQUEST - IE ........................................................... 10

DOWNLOADING USING FIREFOX ............................................ 13 SSL BROWSER CERTIFICATE REQUEST – USING FIREFOX ............................................ 13 SSL PKCS#10 CERTIFICATE REQUEST - USING FIREFOX ........................................... 16

DOWNLOADING CA SIGNER CERTIFICATES ............................ 19 DOWNLOAD SUBORDINATE CA CERTIFICATE ............................................................ 19

EXPORTING CERTIFICATES VIA INTERNET EXPLORER ........... 21

EXPORTING CERTIFICATES VIA FIREFOX ............................... 24

TROUBLESHOOTING FAQ ........................................................ 27

COMMON SSL CONVERSION COMMANDS ................................ 31 CONVERT PFX/P12 TO PEM .............................................................................. 31 CONVERT PEM TO DER .................................................................................... 31 IMPORT P12 INTO JKS USING KEYTOOL ................................................................. 31

Page 3 of 31


Overview

Introduction

This document was created to help guide users through the ESWEB site with respect

to activating, downloading and exporting unmanaged certificates issued by a Marriott

CA.

High Level Steps: What to Expect

1. REQUEST CERTIFICATE FROM REQUEST CENTER - You must have first

requested the certificate to be created using our PKI RC service. If you have not

done that yet, please do so by click on this link:

https://extranet.marriott.com/sdm/RequestCenter/myservices/navigate.do?query

=serviceid&sid=302&

2. RETRIEVE RNACs FROM REQUEST CENTER - Once your PKI RC request has

been submitted, approved and completed, the PKI Admin will enter the RNACs

into your request and close the ticket. A completion email will be sent to the

requestor that will instruct the requestor to log back into the original ticket to

gather the RNACs.

3. CHOOSE CORRECT ESWEB SITE - With RNACs now in hand, you will go to one

of the websites below to download and activate your MI signed certificate.

IMPORTANT NOTES:

- It’s important to use the correct website as using the wrong one will result in

an error.

- You must use either Internet Explorer or Firefox browsers when accessing

these sites

- You must ensure that you are NOT using a terminal server browser session

- Lastly, you must ensure that you are logged into the session with an ID which

can write to the user keystore

a. https://eswebdev.marriott.com - For all DEV / TEST / PERF (ETC) SHA1

certificates issued by MarriottDevSubCA1

b. https://enrollmitest.managed.entrust.com/cda-

cgi/clientcgi.exe?action=start - For all DEV / TEST / PERF (ETC) SHA2

certificates issued by MarriottTestSubCA1

c. https://enrollmi.managed.entrust.com/cda-cgi/clientcgi.exe?action=start -

For all PRODUCTION SHA1 certificates issued by MarriottSubCA1

https://extranet.marriott.com/sdm/RequestCenter/myservices/navigate.do?query=serviceid&sid=302&

https://extranet.marriott.com/sdm/RequestCenter/myservices/navigate.do?query=serviceid&sid=302&

https://eswebdev.marriott.com/

https://enrollmitest.managed.entrust.com/cda-cgi/clientcgi.exe?action=start


https://enrollmi.managed.entrust.com/cda-cgi/clientcgi.exe?action=start

Page 4 of 31


4. CHOOSE CORRECT DOWNLOAD PATH - Once the correct site is chosen, you

have two options for certificate download and activation:

a. SSL Browser link – this link is used when no CSR is required and will

download the certificate directly to the user/browser keystore.

b. SSL PKCS10 link – this link is used when you are submitting a CSR to be

signed. This produces a .bin file that can then be download and saved.

5. EXPORT AND/OR COPY BIN FILE TO SERVER

a. If you chose SSL Browser in step #4, you will need to export the

certificate and private key out of the browser keystore. This automatically

saves the certificate in P12/PFX format.

b. If you chose SSL PKCS10 in step #4, you now have a downloaded .bin file

that can be safely renamed to .cer, .crt, or .der.

c. With either approach, should you need to convert the certificate into a

different format that your keystore supports, please use a tool such as

openssl or keytool to perform the conversions.

6. IMPORT CERTIFICATE (AND CA SIGNER CERTS) INTO YOUR KEYSTORE –

The last task is to import the certificate along with the respective Marriott Root

CA and Subordinate CA’s certificates into your keystore. Please follow your

vendors recommended procedures to do so.

Page 5 of 31


Prerequisites

Administrative access

The user who will be downloading the certificates must be logged into a machine

with an account that has administrative privileges on that machine.

NOTE: Please do not attempt to download certificates while logged into a Terminal Server session. The default group policies on the terminal server do NOT allow you to download certificates.

RNACs

All Marriott issued certificates are downloaded using RNACs (Reference Number and

Authorization Codes). These are one time use codes, are provided by a PKI

Administrator and are valid for 30 days after issuance. Should the RNACs expire

before you have attempted to download your certificate, new RNACs will need to be

requested.

All RNACs are requested through Marriott’s Request Center PKI Certificate Request

service.

Supported Browsers

Entrust Authority Enrollment Server for Web is supported on the following Web

browsers.

• Microsoft Internet Explorer

• Mozilla® Firefox

https://extranet.marriott.com/sdm/RequestCenter/myservices/navigate.do?query=orderform&sid=302&

Page 6 of 31


Downloading using Internet Explorer

SSL Browser Certificate Request – IE

This section goes over how to download and activate your (Unmanaged) SSL

Browser certificate using Internet Explorer. Should you need to download a

(Unmanaged) SSL PKCS#10 certificate using Internet Explorer, please proceed to

the next section, PKCS#10 Certificate Request - IE.

Please ensure that you use the correct ESWeb site based on the environment,

otherwise your request will fail.








Follow the steps below to activate and download your SSL certificate:

• Click Create SSL Browser Certificate (unmanaged)

• Enter your Reference number and your Authorization Code provided from

Request Center

NOTE: If you do not have the option to choose the key size in Internet Explorer

you will have to enable Compatibility View Settings in Internet Explorer for

Marriott.com. Press ALT to bring up the toolbar and then go to Tool->

Compatibility View Settings.





Page 7 of 31


• Add Marriott.com to Compatibility View.

• After you add Marriott.com to Compatibility View you will have to resubmit

the certificate request. When alerted that the browser is trying to perform a

digital certificate operation select YES

Page 8 of 31


• Leave the next two fields at its defaults values

o CSP Type: RSA full

o CSP: Microsoft Enhanced Cryptographic Provider v1.0

• Choose Submit Request

• Choose OK

• Choose YES

Page 9 of 31


• Choose YES

• “You have successfully retrieved your browser certificate into Internet

Explorer. This certificate can be used to securely identify yourself to our

web servers, and to conduct private, encrypted communication over the

internet.”

• Exit out of your browser session

Page 10 of 31


SSL PKCS#10 Certificate Request - IE


PKCS#10 certificate. Should you need to download a (Unmanaged) SSL Browser

certificate, please proceed to the previous section, SSL Browser Certificate Request –

IE.










Follow the steps below to activate and download your SSL PKCS#10 SERVER

certificate. This is a two part process.

• Part 1 • Click "Create a SSL Certificate from a PKCS#10 Request"

• Enter your Reference number and your Authorization Code

provided or noted from Request Center

• Minimize this window for now (you will need to copy the actual CSR

request into the bottom half of this screen to complete the request).

• Part 2 • Generate your CSR (Certificate Signing Request) on your web server

NOTE: When you create your CSR, you will need to put your

REFERENCE NUMBER given to you in Request Center, in the CN

(Common Name) field when prompted. Failure to do this will result in

the certificate download failure.

• Once the CSR is completed, open the CSR file and copy the actual

CSR request, including the BEGIN and END lines (see below) and

paste into the bottom half of the original request form.

It should look similar to this:

----BEGIN CERTIFICATE REQUEST-----

MIIC0TCCAbkCAQAwgYsxEzARBgoJkiaJk/IsZAEZFgNjb20xGDAWBgoJkiaJk/Is

ZAEZFghtYXJyaW90dDEVMBMGA1UECwwMYXBwbGljYXRpb25zMRswGQYDVQQLDBJN

SVBLSV9DZXJ0aWZpY2F0ZXMxETAPBgNVBAsMCGFyY3NpZ2h0MRMwEQYDVQQDDAp

l

c3dlYnRlc3QzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3t/PcUYW

b0k6rYfvFpVVwBxr1DsWdLJUy8L1qFWNSPiiFS5ucb8OSF+nD1Z1CJvH58I8wsWC

JBAOkh4jIviwMjJp8eKR6OBBTyirhHa9WoLXUlwowPgrDuxzV/7KRWOD2HK/GkER





Page 11 of 31


BEgMFePLDf6v0bAkDcC3mWMaTMmb44UiaNSUfUOm5TUNR58/hOKf376sPqiXZKN5

id0MHWtitQAvsl9eMBm1fkLiCaR2DEOw98Zj2QYGJ/phBv1SUJoUcjPqD+ZkAYXJ

4PESICex2Iz0TwXX45KyjZ1FpRVDUw4nW+QJp3XTIGgklb1RhUrBHHqBzQ+3d2b7

tlhaE7xiIqu49QIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAGtRTf/+HDqcG41O

wl/VxZAG9WLS4Oh3PW4e9JFKThPw7gTy9AHPc1ZiyAuhVAI+y9yEwmm0zA9byOX3

dxW/vqWRFxOJB8SAFzBh1+5UjUjwPjxMMhmovlq0TUbb/KbVTGZmHhzEWUEDbwRu

nc6OebU9xp4cFa9jzEbLv7diOzbA6xvnlTvUuFsuQ46NTQ764WweXDjuFlhehC26

tlWhMSP6I3Ae97Wd+SSvWMQRRl7k8eO2aERiFnsDX/6zTJTgC58eLNoDzdQdI9m+

c1XxiejxqhDu/mvYspGXRm1M6g41uQ5hv2SfRfILWF2gbFceQlX1YndseEwFLGPO

6kzX9Rw=

-----END CERTIFICATE REQUEST-----

• Your request should look similar to (below):

• Proceed to leave your OPTIONS to be displayed in raw DER. Then

choose SUBMIT REQUEST to complete your activation and retrieval of

your SSL WEB SERVER certificate.

Page 12 of 31


• At this point you have two options:

1. Save the .bin/.cer file and then copy it your webserver. You can then

rename the file (can be safely renamed to .der, .cer, or .crt) and

install the certificate on your web server, and/or

2. Your certificate will be displayed on the web page in PEM format. You

can then copy this into notepad and save as .PEM then copy this to

your server to be installed.

Page 13 of 31


Downloading using Firefox

SSL Browser Certificate Request – Using Firefox


Browser certificate using Fire Fox.










Follow the steps below to activate and download your SSL certificate:

• Click Create SSL Browser Certificate

• Enter your Reference number and your Authorization Code provided

or noted from Request Center

• Choose Submit Request

• Choose desired Key Length

• 2048 (High Grade) is the default

• Should you desire, you can choose 1024 (Medium Grade)

• Lastly, choose Submit Request





Page 14 of 31


NOTE: If this is the first time you’ve downloaded certificates from this website to

your terminal server session or local profile, you will need to enter a new Software

Security Device password.

• Once you’ve entered your designated password, choose OK to continue.

Please keep this password somewhere safe but accessible.

• A Generating A Private Key window will appear temporarily

• Within the Downloading Certificate window, please check all three

boxes and then choose OK to continue.

Page 15 of 31


• Choose OK below

• You will now be presented with the successfully retrieval message below.

Your client certificate and the MarriottSubCA1 signer certificate are now in

your Firefox certificate/browser store.

Page 16 of 31


SSL PKCS#10 Certificate Request - Using Firefox


PKCS#10 certificate using Firefox










Follow the steps below to activate and download your SSL WEB SERVER certificate.

This is a two part process.

• Part 1

• Click "Create a SSL Certificate from a PKCS#10 Request"

• Enter your Reference number and your Authorization Code

provided or noted from Request Center

• Minimize this window for now (you will need to copy the actual CSR

request into the bottom half of this screen to complete the request).

• Part 2

• Generate your CSR (Certificate Signing Request) on your web server

• NOTE: When you create your CSR, you will need to put your

REFERENCE NUMBER given to you in Request Center, in the CN

(Common Name) field when prompted. Failure to do this will

result in the certificate download failure.

• Once the CSR is completed, open the CSR file and copy the actual CSR

request, including the BEGIN and END lines (see below) and paste into

the bottom half of the original request form.

It should look similar to this:

-----BEGIN CERTIFICATE REQUEST----- MIIC0TCCAbkCAQAwgYsxEzARBgoJkiaJk/IsZAEZFgNjb20xGDAWBgoJkiaJk/Is ZAEZFghtYXJyaW90dDEVMBMGA1UECwwMYXBwbGljYXRpb25zMRswGQYDVQQLDBJN SVBLSV9DZXJ0aWZpY2F0ZXMxETAPBgNVBAsMCGFyY3NpZ2h0MRMwEQYDVQQDDApl c3dlYnRlc3Q0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmQmTH9zF 0KWgheZrtz1V5X6qXdyI8yYOXuEmiobbrkGnnko+mC2kzgat6KmaFMyKMAq8Uwki nrSdqg0u+TI0H5pWUzeB22JbnFhrKbsYWZuPpK5nzGLQCWowtBQk/bYKUcYML+KI V5A60l8Il/e221ig8S9jFUFstt87Z7bAjhCX3f7PYiEHZaW2LhrGucs/DVEj34DI Vouhun4cHrW1jVCGStvmx01wIAWagtB3NsBYTMgkuphIdr9iezqBI8Gw8fkJ6PCu VayKcc9jGoDMs0Qw5UmWXpNdI7bquUzqdWxAYh55cWM9fYD/n8T8/Oh7phx06jM0 yzFnVM9iaq7kLQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBABhZGHKmGR77M4r5 lyZem4aKS775cgxfYye0CjvgDDEP61e/L3vL+xTTNmeFag5TBUu2szvnIbogy5Vv ay6KIkC14d8dpP5m5nd5dz9hinautHNRcJ1vTdtmmRRWCCEMFro6V/6XJ1W8F2xh cceNuADO66UxYY8qCDllhj9hLUu2mhJpZAIdUuS6W5T74sk3p16wsaLTdgNy5vW2 sNgZdURyiWpgInKepqjLxAKLnQmvyHZOeqCyUr1rsW8LNt6ysT4SHmvb+E3LXRSb /I5Woo1wQUHHVLWjSosHX8GQYZMkxTx2wvgSseuvUELauWts+BDBk4iVc4YlZ3Ve wWryVKw=





Page 17 of 31


-----END CERTIFICATE REQUEST-----

• Your request should look similar to (below):

• Proceed to leave your OPTIONS to be displayed in raw DER. Then

choose SUBMIT REQUEST.

• You will now see a screen that contains your web server certificate in PEM

format.

Page 18 of 31


• At this point you have two options:

1. Copy this PEM certificate (including BEGIN and END CERTIFICATE

LINES) into notepad and save as .PEM. This can then be copied to

your server to be installed, OR

2. Choose the DOWNLOAD button

a. Choose Save File, then OK

• Your servercert.bin/servercert.cer file is now on your desktop and ready for you

to transfer to your web server

NOTE: You can safely rename to .der, .cer, or .crt then install the certificate to your

web server.

Congratulations!! You’re done…

Page 19 of 31


Downloading CA Signer Certificates

Download Subordinate CA Certificate

Since our environment is set up with an online Subordinate CA with offline Root CA,

you will need to also download the Subordinate CA’s certificate. To do this, on the

left hand side of the website, under CA Certificates, click on Install SubCA x509.

NOTE: During the certificate download process, the Root CA Signer certificate

should automatically be downloaded into your browser store. If you don’t see it

there, then you can manually download it by choosing Install RootCA x509.

• Choose Open

Page 20 of 31


• Choose Install Certificate

• Choose Next and Next

• Choose Finish

• Choose OK

Page 21 of 31


Exporting Certificates via Internet Explorer ONLY APPLIES TO UNMANAGED CERTIFICATES

Go to TOOLS > INTERNET OPTIONS in your Internet Explorer browser

Select the CONTENT tab, and then the CERTIFICATES

Select the appropriate certificate, and then EXPORT.

Page 22 of 31


Choose NEXT and YES, export the private key

Select Include all certificates in the certification path if possible and Enable

strong protection

Enter a password for the private key twice and choose NEXT to continue.

NOTE: Please make sure to remember this password, otherwise, you will have to

repeat the export process out of Internet Explorer again.

Type in a file name or browse to a specific directory on your system.

Page 23 of 31


Confirm the information is correct, and select Finish (or Back if changes are

necessary) and select OK

Finally a successful export message should appear.

Page 24 of 31


Exporting Certificates via Firefox ONLY APPLIES TO UNMANAGED CERTIFICATES

• Open your Firefox Browser, then go to TOOLS > OPTIONS >

ADVANCED

• Then choose VIEW CERTIFICATES to open your Certificate Manager

• Then under CERTIFICATE NAME, locate the certificate you wish to

export, highlight it, then choose BACKUP

• Then choose a file name and location to save your exported .pkcs12 file,

then choose SAVE

Page 25 of 31


• You will now be prompted for the Software Security Device password

that you created in the previous step. Enter the password and choose OK

to continue.

• You will now need to assign a new password for your private key that you

are backing up or exporting. Please enter the password twice and choose

OK to continue. Please keep this password somewhere safe but

accessible as you will need this in order to IMPORT this into your

respective end key store on your server

NOTE: The password quality meter will tell you how strong your

password is. The fuller the bar, the stronger the password and less

likely it will be compromised. Therefore, please take this into

consideration when choosing a password.

Page 26 of 31


• You have now successfully exported your certificate. Choose OK to exit.

Page 27 of 31


Troubleshooting FAQ

Problem:

When attempting to download the certificate, you get the following error:

“The error ‘80090024’ occurred. Your certificate request could not be generated”

No key pair has been created by the CSP. Please make sure that you have the latest patches for this browser. See your administrator for details.

Please contact your administrator for details.

Reason(s):

• You are logged into a machine that does not have administrative access

• You are logged into a terminal server that does not allow certificate downloads

Solution:

• Log into a local machine with an administrator account and retry your download

Problem:


“CMS-API call failure. Please contact your administrator for details”

Reason(s):

• You are using the wrong ESWeb site

• You’ve entered your RNACs incorrectly

• Your RNACs have expired or have already been used

Solution:

• For production certificates, go to: https://esweb.marriott.com

• For dev, test and perf certificates, go to: https://eswebdev.marriott.com

• Confirm that your RNACs are correct (make sure there are no extra spaces

before or after the codes)

• Check to ensure you RNACs are still valid. If not, request some new RNACs

https://esweb.marriott.com/


Page 28 of 31


Problem:


“An error has occurred: (-3274) Security protocol failure. Please contact your administrator for details”

Reason:

• The RNACs issued to you have become corrupted

Solution:

• Request new RNACs

Problem:


“An error has occurred: Invalid reference number was provided. Please contact your administrator for details”

Reason:

• The Reference Number you have entered is not valid or has already been used

Solution:

• Verify you are going to the correct URL to enroll

• Verify that your RNACs are correct

• Request new RNACs in the event your previous RNACs were already used

Problem:

When attempting to download the certificate, you observe the following scenario:

Instead of seeing a certificate in your browser keystore (client certificate)

or being prompted to save a bin/cer file (server certificate), you instead are

prompted to save a client.cgi/client.exe file.

Reason:

• You have attempted to download your certificate using an unsupported

browser.

Page 29 of 31


Solution:

• Request new RNACs via the PKI Request Center service and download your

certificate using a supported browser.

Problem:


“Server certificate request not specified or invalid. Please contact your

administrator for details”.

Reason:


browser.

• You have to enable Compatibility View Settings for Marriott.com in Internet

Explorer 11

Solution:

• Request new RNACs via the PKI Request Center service and download your

certificate using a supported browser.

Problem:


“Server certificate request not specified or invalid. Please contact your

administrator for details”.

Page 30 of 31


Reason:


browser.

Solution:

• You have to enable Compatibility View Settings for Marriott.com in Internet

Explorer 11

• In IE11, go to the OPTIONS menu, select F12 Developer Tools > Select

Emulation Tab (at bottom), Set Document Mode to 5, and set User Agent String

to Internet Explorer 9

Page 31 of 31


Common SSL Conversion Commands

Convert PFX/P12 to PEM

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates

to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

You can add -nocerts to only output the private key or add -nokeys to only

output the certificates.

openssl pkcs12 -in keyStore.pfx -out privatekey.pem -nodes -nocerts

openssl pkcs12 -in keyStore.pfx -out cert.pem -nodes –nokeys

Convert PEM to DER

Convert a PEM file to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Import P12 into JKS using Keytool

The command keytool -pkcs12 lists options to import a PKCS12 key. The keystore

password for the (*.jks) file should be the one used for the J2EE keystore. The

command for the conversion is:

keytool -pkcs12 -pkcsFile fileName -pkcsKeyStorePass password - pkcsKeyPass

password -jksFile outputFileName -jksKeyStorePass password

This will result in a JKS file that has the key (the private key and the certificate

chain) in the file

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates

to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

You can add -nocerts to only output the private key or add -nokeys to only output

the certificates.

Documents

Marriott Enrollment Server for Web User Guide · Page 1 of 31 MARRIOTT ENROLLMENT SERVER FOR WEB Marriott Enrollment Server for Web User Guide V1.6 10/17/2017