search cancel

Adding (import), create or manage certificates for HTTPS access to CAS management console

book

Article ID: 174541

calendar_today

Updated On:

Products

CAS-VA CAS-S200 CAS-S400 CAS-S500

Issue/Introduction

To secure the HTTPS connection to the web management console, you can use the default certificate, create a self-signed certificate, or import a certificate that was signed by a trusted Certificate Authority.

Resolution

Create a Self-Signed Certificate

Content Analysis has its own facility for creating certificates you can use for securing the connection to the web management console. Keep in mind, however, that these certificates are not verified by a trusted third party; for that, you would need to use a Certificate Authority. 

  1. On the Settings > Web Management page, click Certificate Management. The Certificate Management dialog opens.
  2. The Current Information tab displays the current HTTPS certificate. If any information is incorrect, click Create Certificate.
  3. Enter the certificate identity information.
  4. For Subject Alternative Name enter the IPs and common names to be protected by this certificate. Multiple entries are comma-delimited: IP:9.9.9.9,DNS:www.domain.com.
  5. Enter a recipient Email address. This should be the administrator who gets notified if there are problems with the certificate.
  6. Select a Date valid value; this is the expiry date for the certificate.
  7. Set the Size value, which is the key length used to encrypt the certificate. Available key lengths are 2048 and 4096.
  8. Click Save Changes to generate the certificate. The appliance resets the web service to support the new certificate.
  9. After the web service is reset, click Certificate Management to see the information in the generated certificate.
  10. In the Current Information tab, the settings match the values specified when creating the certificate.
  11. Click Download Public Certificate, save the certificate file (public.crt) to your local system

 

Import a CA-Signed Certificate

Create a Certificate Signing Request (CSR) with your organization's certificate information, and have it signed as a certificate by a Certificate Authority. When you get your CSR fulfilled by the Certificate Authority, you will need to have the certificate with key generated in order to import into Content Analysis. To import the CA-signed certificate:

  1. On the Settings > Web Management page, click Certificate Management. The Certificate Management dialog opens.
  2. Click Import Certificate tab.
  3. Click Browse and browse for your certificate in PEM, DER, or pcks12 format and click OK.
  4. Enter the passphrase your Certificate Authority used to secure the certificate (if present) and click Upload.
  5. In the Current Information tab, the settings match the values of the imported certificate.
NOTE: The only supported certificate formats are only PEM, DER, or pcks12

 

Import a Private Key for OpenSSL

Follow these steps to create a private key and certificate for OpenSSL, using Microsoft PKI. If you do not have Microsoft PKI or if you have a different method for generating the CSR, these steps will vary.

  1. Generate a private RSA key for a certificate, along with a certificate-signing request (CSR): openssl req -out server.csr -new -newkey rsa:2048 -nodes -keyout server.key
  2. Sign the CSR with Microsoft PKI, using a basic web server signing request. Download the chain in base64 format.
  3. With the newly generated P7B file generate a certificate (CRT) file: openssl pkcs7 -print_certs -in certnew.p7b -out certnew.crt
  4. Use the CRT file in conjunction with the generated key to convert the CRT to PKCS12: openssl pkcs12 -export -out cert.p12 -inkey server.key -in certnew.crt
  5. Import the certificate into Content Analysis, using the password that you generated in the previous step.