An SSL Certificate consists of a public key and a private key. The public key is used to encrypt information and the private key is used to decrypt it. To secure sensitive data such as user passwords that travel across your network, you must enable SSL (secure sockets layer) encryption on your VIP Enterprise Gateway server(s) by installing an SSL certificate using one of the following methods. This allows for secure (HTTPS) traffic between the VIP Enterprise Gateway.
Method 1 (generate and install an SSL certificate):
If a CSR needs to be generated, follow the steps below. (Note: This method stores the private key on the VIP Enterprise Gateway and it cannot be exported. Repeat these steps for each Enterprise Gateway instance.)
- In the Enterprise Gateway console, go to Settings > SSL Certificate.
- Click Add SSL Certificate.
- Select Create SSL Certificate.
- Complete the form by providing the following attributes and parameters:
Attribute |
Parameter |
Alias |
Enter an alias (or friendly name) for this private key. (Example: VIPSSLKey-1) |
Organization (O) |
Enter the legal name of your business organization. |
Organizational Unit (OU) |
Enter the department or division name with the organization. |
Common Name (CN) |
Enter the Fully Qualified Domain Name (FQDN) of the Enterprise Gateway machine hosting the configuration console. |
Subject Alternative Name (SAN) |
Starting in VIP EG 9.11, this field is added to allow entry for SAN values. It supports domain names and IP addresses. |
State (ST) |
Enter the full State name. Do not abbreviate. |
Country (C) |
Enter the two-letter country code. Use ISO 3166-1 format. (Example: US) |
Location (L) |
Enter the city or town name. |
- Click Next. Copy the CSR to a file and save it to a safe place.
-----BEGIN CERTIFICATE REQUEST-----
text...
-----END CERTIFICATE REQUEST-----
- Click Done.
- Submit the CSR to the Certificate Authority (CA) of your choice. Note: EV (Extended Validation) certificates are recommended.
- Important: When minting the SSL certificate from the certificate authority, add the server FQDN as a SAN key value (example: DNS:egwOregon.example.com).
- When the signed certificate is delivered from the CA, navigate back to Settings > SSL Certificates in the VIP Enterprise Gateway console.
- Click Install in the list of actions for the new certificate.
- Copy the certificate information you received from the CA from the beginning tag to the end tag, including any dashes. Example:
-----BEGIN CERTIFICATE-----
text...
-----END CERTIFICATE-----
- Click Submit.
- The SSL Certificates page now displays that SSL key, indicating that the SSL certificate installed successfully.
- To enable the SSL Certificate for use with the VIP Enterprise Gateway, Select Settings > Console Settings. To enable it for the VIP Self Service Portal/MyVIP or Manager IdPs, select Identity Providers and navigate to Self Service Portal IdP or Manager IdP.
- In the configuration settings page, select https as the protocol.
- Select the SSL certificate that you want to enable from the list of SSL certificates, then click Submit.
- Restart the VIP Enterprise Gateway service.
Method 2 (import an existing SSL certificate):
If the CSR was generated by another means (i.e., externally from the VIP Enterprise Gateway), and the certificate in PKCS#12 format is ready to be installed, follow these steps.
- From the Enterprise Gateway console, navigate to Settings > SSL Certificate.
- Click Add SSL Certificate.
- Select Import SSL Certificate.
- Click Choose File and select the certificate. The certificate must be in PKCS#12 (.p12/.pfx) format.
- Enter the password for the certificate and provide an alias (friendly name using only alphanumeric characters, hyphens, or underscores).
- Click Submit.
- Restart the VIP Enterprise Gateway service.
Installing a Root or Intermediate Certificate:
The VIP Enterprise Gateway is installed with the root and intermediate certificates for most public Certificate Authorities. If the appropriate certificates for the CA being used are not present in the list, they can be installed. If using an SSL certificate issued by a private CA, the root certificate must be installed.
- From the Enterprise Gateway console, go to Settings > Trusted CA Certificate.
- Click Add Certificate.
- Click Choose File and select the certificate.
- Provide an alias for the CA certificate.
- Click Submit.
- Once all necessary root and intermediate certificates have been added, click Save Changes.
The VIP Enterprise Gateway service must be restarted after adding a new root or intermediate CA certificate, and before adding the SSL certificate.
On Windows:
- Open Services.msc
- Locate the Symantec VIP Enterprise Gateway service.
- Right-click on its name and select Restart.
On Linux:
- Open a new SSH connection to the server as root.
- From the command-line, run: <VIP_EG_INSTALL_DIR>/server/bin/vipegconsole.rc stop
- To start the service back up run: <VIP_EG_INSTALL_DIR>/server/bin/vipegconsole.rc start
Installing on Multiple VIP Enterprise Gateway Servers:
Certificates cannot be exported from the Enterprise Gateway console key store. The steps must be repeated for each server.