Certificates

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Certificates

About Digital Certificates

The Untangle Server uses digital certificates when serving web content via SSL. The server certificate is mainly used to provide secure access to the Administrative Console, as well as the Email Quarantine features. The server also needs to generate imitation certificates on the fly when using the SSL Inspector application. There are two different ways to configure the certificate used by your server, depending on your specific requirements:

  1. Create and use a server certificate signed by the internal certificate authority
  2. Create a Certificate Signing Request (CSR) which you can have signed by a third party certificate authority.

If you plan on using the HTTPS Inspector application, option #1 is likely a good choice. Since you'll need to install the root certificate on all client computers and devices to use HTTPS Inspector effectively, it makes sense to also sign the certificate used by the Untangle server with this same CA.

If you aren't going to use the HTTPS Inspector, or have some other reason to prefer a third party certificate, then option #2 may be a better choice. This will allow you to obtain and use a server certificate signed by a third party authority. The benefit here, assuming you use one of the standard and well known providers, is that their root certificate will already be included in the list of trusted CA's on client computers and devices, so you won't have to distribute and install a new root certificate.

Certificate Authority

During the initial server installation, a default Certificate Authority (CA) was created automatically. This CA is used to create and sign imitation certificates that are generated on the fly by the HTTPS Inspector application. It was also used to sign the default server certificate used by the server itself. You can use the default CA as is, or you can generate a new CA if you want to customize the information contained in the root certificate.

Generate Certificate Authority

When you click this button to generate a new CA, you will be presented with a popup form where you can enter the details to be included in the Subject DN of the new root certificate. All fields are optional except for the Common Name (CN) field. Since this operation is creating a root certificate and not a server certificate, the CN field can contain most anything you like. Once the form is complete and you click the Generate button, the new CA will be created and the Certificate Authority information fields will be updated to display the contents of the new certificate.

Download Root Certificate

Click this button to download the root_authority.crt certificate file of the Certificate Authority on the Untangle server. If you are using HTTPS Inspector, or if you have configured your Untangle server to use a server certificate signed by the internal Certificate Authority, you will need to download and install this certificate on all client computers and devices to eliminate certificate warning messages when browsing or accessing secure content.

Download Root Certificate Installer

This button downloads a Windows installer that will automatically deploy the root certificate to Windows devices. This will allow for more efficient deployment of the root certificate above. Once installed, this will eliminate certificate warning messages when browsing or accessing secure content, or when using the HTTPS captive portal.

Server Certificate

The Server Certificate is used to secure all HTTPS connections with the Untangle server. This mainly applies to the Administrative Console and the Email Quarantine pages.

During the initial server installation, a default certificate is created and signed using the default Certificate Authority that was also created during installation. You can use the default root certificate as is, or you can generate a new server certificate if you want to customize the information contained in the server certificate.

Generate Server Certificate

When you click this button to generate a new server certificate, you will be presented with a popup form where you can enter the details to be included in the Subject DN of the server certificate. All fields are optional except for the Common Name (CN) field, which should contain the hostname that will be used to access the server.

Example: hostname.domain.com

Once the form is complete and you click the Generate button, the new server certificate will be created and the Untangle server will start using it immediately. The Server Certificate information fields will also be updated to display the contents of the new certificate.

Third Party Certificate

Instead of using a certificate signed by the local CA, you may instead prefer to have the Untangle server use a certificate signed by well-known CA such as VeriSign or Thawte. The advantage to using this type of certificate is client computers and devices will need no additional configuration, since most browsers are already configured to trust certificates issued by these authorities.

Create Signature Signing Request

When you click this button to generate a signature signing request, you will be presented with a popup form where you can enter the details to be included in the Subject DN of the CSR. Once the form is complete and you click Generate, a server_certificate.csr file will be downloaded to your computer. The certificate authority you choose will require this file, and possibly additional information to verify that you are the "owner" of the website for which you are requesting the certificate. When they receive all the required information, and any associated fee, they will issue you a new certificate file which you can upload to the Untangle server.

Import Signed Server Certificate

When you receive your signed certificate, click this button to upload the certificate to the Untangle server. In the resulting dialog, click the Browse button, then locate and select the certificate file. Then click the Upload Certificate button to upload and activate the certificate on the Untangle server.

If your provider also included an intermediate certificate, you may need to use a text editor to manually combine all of the certificates and keys into a single file that can be uploaded. Your server certificate will be at the top, followed by your private key, followed by any intermediate certificates that are required.

-----BEGIN CERTIFICATE-----
server certificate data
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
server private key data
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
intermediate certificate data
-----END CERTIFICATE-----