Reset Search
 

 

Article

KB10165 - How to install a Certificate for use on a production PCS

« Go Back

Information

 
Last Modified Date9/19/2015 7:13 PM
Synopsis
This article outlines the steps required to set up a certificate on the PCS.
Problem or Goal
How do I set up my PCS with a Certificate that can be used in a production environment.
Cause
Solution

The PCS has a self signed certificate which we created during the serial console setup of the PCS. This self signed certificate is capable of encrypting the traffic to and from the PCS; however, because this is self signed it may not be appropriate to use this certificate in production use of the PCS.

The reason is that another device could create a self signed certificate under the same name pretending to be your PCS. To correct this problem we use a Certificate Authority (CA). You can use a company certificate authority such as Microsoft Certificate Services and OpenSSL or you can use a commercial certificate authority such as VeriSign and Thawte. There are several more options than the ones listed but those are the best known.

The decision on whether to use the PCS's Self Signed, Company Signed, or commercially signed certificate usually depends heavily on your users. If your users are fairly technical then using the self signed certificate from the PCS shouldn't cause much issue. If your users are not necessarily technical but have the company CA in their trusted CA list then the company signed is an economical and effective method to use. If you are in a situation where users' computers are not going to have the company CA in their trusted CA list such as a kiosk then a commercial certificate is recommended.

There is a special consideration to take into account. Whether you are using a commercial or company CA if the CA generating the certificate is an intermediate CA (A CA which reports to a CA above it) you will either need to download the certificate chain (Recommended) or download the CA certificates for both the Intermediate and Root CAs.

The PCS certificates can be created in two ways. By CSR (More Secure but cannot be exported outside of PCSs) or by importing a certificate containing both a public and private key (Less secure because CA integrity and storage of the private key on media other than the PCS has to be taken into consideration; However this method is much more flexible. E.G. The certificate can be used on more than just the PCSs).


1. To create a CSR
2. Generating a certificate without a CSR
     2.1 ) Certificate File includes the private keys
     2.2 ) Certificate and the private key are separate files


IMPORTING PREVIOUS DEVICE CERTIFICATE FROM THE SYSTEM CONFIGURATION BACKUP.

1. Importing it from Maintenance - Import / Export - Configuration ( System Configuration )
2. Importing it from System           - Configuration   - Certificate - Device Certificate - Import Certificate and key.



1. To create a CSR

Go to Configuration > Certificates > Device Certificates.

certificate_path.jpg

Step 1 : At the bottom of this page you will see a New CSR button click on it and fill out the requested information.

certificate_new_csr_1.jpg


STEP 2 : Fill in the details of the certificate that you want to generate from the PCS and then click on new CSR.

NOTE: Please make sure about the key length of the certificate when you generate it because most of the Authorized CA does not support the 1024bit certificate in that case choose the 2048 bit option listed out in the below screenshot.
certificate_new_csr_2.jpg


STEP 3: Once the Create CSR the PCS will generate a request in a base 64 format is generated. The private key is stored inside the PCS. The certificate request contains a 1 way hash of the key so the private key is never exposed to the outside world.We will find the generated CSR under the option Certificate Signing Requests and will be present as a Pending CSR.





STEP 4: If you used a commercial CA make sure you put the returned certificate into a text file and then rename the file to have a .cer extension. The .cer extension is intended for base 64 format and this is the most common format that CAs will return certificates in. Should a CA return a format other than Base 64 the PCS is able to handle PKS 7 (.p7b) and DER (.der) formats. The PCSs Support for PKS 10 and 12 is limited.

Once you have the certificate in a file we want to upload it using the field at the bottom of the same page.




Copy this into a text file and submit it to your company or chosen commercial CA. The CA will provide you with the public key.

Note: It is recommend you save a copy of the system.cfg as soon as you upload a certificate in this manner. To download the system.cfg go to Import/Export -> Import/Export Configuration and then click Save Config As to save it.




2. Generating a certificate without a CSR
     2.1 ) Certificate File includes the private keys
     2.2 ) Certificate and the private key are separate files

The other way to import certificates is to generate a certificate with the Public and Private Key from a CA. Commercial CAs will usually have an option on their web sites to do this.

This can also be done using Company CAs. Again Microsoft Certificate Services and OpenSSL are the most common.

Uploading the certificate

If you used a commercial CA make sure you put the returned certificate into a text file and then rename the file to have a .cer extension. The .cer extension is intended for base 64 format and this is the most common format that CAs will return certificates in. Should a CA return a format other than Base 64 the IVE is able to handle PKS 7 (.p7b) and DER (.der) formats for this. The IVEs Support for PKS 10 and 12 is limited.

On the IVE go to Configuration > Certificates > Device Certificates.

Click on the Import Certificate & Key button.

2.1 ) If the Certificate File includes the private keys please follow the steps mentioned below

import_certificate_1.jpg

Most CAs will provide the private and public key in the same file unless requested. Select the appropriate import option, providing the pass-code if you created the certificate with one.



A. Browse and select the signed certificate with the.pfx file extension.


B. Type the password for the .pfx file that you imported.


Then Click on the import option where the certificate will be imported.


2.2 ) If the Certificate and the private key are separate files please follow the steps mentioned below:

**Download the private key from the Web / CA server which generated the CSR (The private key will be in .pem format and is password protected) and then import the private key with the signed certificate (provided by certificate authority (extension will be .cer format)) to the SSL VPN. Please see the screenshot below:




A. In the certificate file option please browse and choose your signed certificate.

B. Browse and select the private key in the private key File option

C. Type the password for the private key in the private key column.



IMPORTING PREVIOUS DEVICE CERTIFICATE FROM THE SYSTEM CONFIGURATION BACKUP.

1. Importing it from Maintenance - Import / Export - Configuration ( System Configuration )
2. Importing it from System - Configuration - Certificate - Device Certificate - Import Certificate and key.


1. Importing it from Maintenance - Import / Export - Configuration ( System Configuration )




2. Importing it from System - Configuration - Certificate - Device Certificate - Import Certificate and key.




 

You should now have your production certificate installed.

loaded_certificate.jpg

NOTE:  Make sure that you bind the certificate imported to the relevant port according to your configuratiion (Internal / External port ) to avoid the certificate errors on the browser when you type in the URL of the website.

 

Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255