How to Install an SSL Certificate for Encryption Management Server

book

Article ID: 180416

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption Encryption Management Server Powered by PGP Technology Gateway Email Encryption Powered by PGP Technology

Issue/Introduction

This article explains how to create a Certificate Signing Request (CSR) for an SSL certificate and then import the certificate to Encryption Management Server.

Services such as clustering and Web Email Protection use the TLS protocol and require a server TLS certificate which includes the host name for the IP address of the server on which the service is running. To issue a certificate, the Certificate Authority needs information found in a certificate request (CSR).

There are four stages to this process:

  1. Create the certificate signing request (CSR) file and submit it to the CA (Certificate Authority).
  2. Ensure that Encryption Management Server trusts the certificates in the server certificate's issuing chain or certification path.
  3. Import the signed server certificate.
  4. Assign the certificate to the correct network interface of Encryption Management Server.

Environment

Symantec Encryption Management Server 3.4.2 and above.

Resolution

Create and Submit a Certificate Signing Request (CSR)

  1. Log into the admin console.
  2. Navigate to System / Network and click on the Certificates button at the bottom of the page.
  3. Click the Generate CSR button.

    NOTE:  You can also choose to generate a Self Signed Certificate if you do not intend to use an external or internal Certificate Authority.
     
  4. Type in the Fully Qualified Domain Name (FQDN) for the server. For example, keys.example.com.
  5. Do not enter an email address in the Contact Email field. TLS certificates do not generally include an email address.
  6. Optionally, enter your organization's name in the Organization Name field.
  7. Optionally, enter your organization's unit designation in the Organization Unit field.
  8. Optionally, enter a city or locality, as appropriate, in the City/Locality field.
  9. Optionally, enter a state or province, as appropriate, in the Province/State field.
  10. Optionally, enter a two letter ISO 3166 country code in the Country field.
  11. To generate a Certificate Signing Request (CSR), click the Generate CSR button.
  12. The CSR window opens, showing the BEGIN CERTIFICATE REQUEST text.
  13. Select all of the text, copy and paste it into a text editor and save the file. Then click the OK button.
  14. The certificate appears on the Certificate page as Pending. If you click on the certificate name you will see the CSR text and can copy it again if required.
  15. Submit the text file containing the CSR or its contents to your Certificate Authority (CA).
  16. The CA will send a public server certificate back to you. The CA will also send you the root certificate and any intermediate certificates.

Ensure that the Certificates in the Issuing Chain are Trusted

Before you import the server certificate, you must ensure that Encryption Management Server trusts the certificates in the server certificate's issuing chain or certification path. Every server certificate has an issuing chain of certificates. Generally, the Certificate Authority will send you these certificates or direct you to a web site from where you can download them. There is always a root certificate in the issuing chain and at least one intermediate certificate. To ensure that Encryption Management server trusts them please do the following:

  1. From the admin console, click on Keys / Trusted Keys.
  2. Search for the name of the certificate to check if it is already present. If you find a certificate that has a similar name to the one you are looking for, check whether the expiry date matches and, to be completely sure it is the same certificate, check the fingerprint / thumbprint.
  3. If the certificate is not already present, click on the Add Trusted Key button.
  4. Click on the Choose File button, browse to the location of the root certificate and click Open. Note that the certificate must be in Base-64 encoded format, not DER encoded binary format.
  5. At a minimum, click to enable the option Trust key for verifying SSL/TLS certificates.
  6. If Encryption Management Server processes email, enable the option Trust key for verifying mail encryption keys.
  7. Click the Save button.
  8. Repeat the above steps to import the root certificate and all intermediate certificates.

Import the Server Certificate

  1. Open the server certificate that the Certificate Authority sent you in a text editor and copy all the text to the clipboard.
  2. From the administration console, click on System / Network and then click the Certificates button.
  3. Click the + button in the Import column of the pending certificate you are adding. The Add Certificate to Key dialog box appears.
  4. Paste the certificate text from the clipboard into the Certificate Block box.
  5. Click Save to import the new certificate.

Assign the Server Certificate to the Correct Interface

  1. Click on System / Network.
  2. Select the correct Interface from the interface drop down list.
  3. Select the new certificate from the Assigned Certificate drop down list.
  4. Click Save.