ctera portal datacenter edition portal datacenter edition installing a security certificate on the...
TRANSCRIPT
© 2013, CTERA Networks. All rights reserved.
Installing a Security Certificate on the CTERA
Portal
CTERA Portal Datacenter Edition
Aug 2013 Versions 3.2, 4.0
CTERA Portal Datacenter Edition Installing a Security Certificate on the CTERA Portal 2
Certificates are used as part of the Transport Level Security (TLS) protocol. They enable users'
Web browsers, CTERA appliances, and CTERA Agents to verify that the CTERA Portal server
with which they are communicating is authentic and not spoofed. If the CTERA Portal does
not have a valid certificate installed, CTERA appliances and CTERA Agents will not be able to
connect to it.
This document describes the necessary steps for installing a certificate on the CTERA Portal:
1 View the CTERA Portal's DNS Suffix (page 3)
2 Obtain an SSL Certificate (page 5)
3 Generate a Certificate Signing Request for Your Domain (page 7)
4 Sign the Certificate Request (page 11)
5 Validate and Prepare Certificates for Upload (page 13)
6 Install the Signed Certificate on CTERA Portal (page 15)
1 Introduction
CTERA Portal Datacenter Edition Installing a Security Certificate on the CTERA Portal 3
1 Log in to the CTERA Portal.
2 In the status bar, in the Portal drop-down list, select Administration.
The Global Administration View appears displaying the Main > Dashboard page.
3 In the navigation pane, click Settings > Global Settings.
2 View the CTERA Portal's DNS Suffix
2 View the CTERA Portal's DNS Suffix
4 CTERA Portal Datacenter Edition Installing a Security Certificate on the CTERA Portal
The Settings > Global Settings page appears.
The DNS Suffix field displays the CTERA Portal's DNS suffix.
Tip
This document assumes that your CTERA Portal uses the following DNS suffix: ctera.com
CTERA Portal Datacenter Edition Installing a Security Certificate on the CTERA Portal 5
It is necessary to obtain a valid certificate signed either by a well-known certificate authority,
or by your own internal certificate authority.
Tip
If you intend to generate a signed certificate using your own internal certificate authority, please contact CTERA Support at http://www.ctera.com/support beforehand.
The SSL certificate can be either of the following:
A wildcard certificate
A wildcard SSL certificate secures your website's URL and an unlimited number of its
subdomains. For example, a single wildcard certificate for *.ctera.com can secure
both company01.ctera.com and company02.ctera.com.
A wildcard certificate is mandatory, if you plan for your service to consist of more than
one virtual portal.
A domain certificate
A domain certificate secures a single domain or subdomain only. For example:
company01.ctera.com.
3 Obtain an SSL Certificate
3 Obtain an SSL Certificate
6 CTERA Portal Datacenter Edition Installing a Security Certificate on the CTERA Portal
This option is relevant if you are planning to provision a single virtual portal only.
Tip
To obtain a self-signed certificate for testing and evaluation purposes only, contact CTERA Support at http://www.ctera.com/support and specify your CTERA Portal's DNS suffix (which you viewed in View the CTERA Portal's DNS Suffix (page 3)). CTERA will generate a self-signed certificate for your DNS suffix and provide you with a ZIP file that you can upload to your CTERA Portal environment.
Tip
The CTERA Portal also supports certificates with Subject Alternative Names (SAN certificates). This option enables you to secure multiple domain names with a single certificate.
CTERA Portal Datacenter Edition Installing a Security Certificate on the CTERA Portal 7
Once you have obtained your DNS suffix, you need to generate a certificate signing request
(CSR) for your domain using CTERA Portal. This requires a CTERA Portal Administrator
account.
1 Log in to the CTERA Portal using your Administrator account.
2 In the status bar, in the Portal drop-down list, select Administration.
The Global Administration View appears displaying the Main > Dashboard page.
3 In the navigation pane, click Settings > SSL Certificate.
The Settings > SSL Certificate page appears.
4 Click Request Certificate.
4 Generate a Certificate Signing Request for Your Domain
4 Generate a Certificate Signing Request for Your Domain
8 CTERA Portal Datacenter Edition Installing a Security Certificate on the CTERA Portal
The Create a Certificate Request Wizard opens.
In the Domain Name field, type the domain name for which you would like to request a
certificate.
The value entered must match the type of certificate you chose to use. For example, if
you chose a wildcard certificate, the domain name might be *.acme.com.
Generate a Certificate Signing Request for Your Domain 4
CTERA Portal Datacenter Edition Installing a Security Certificate on the CTERA Portal 9
In contrast, if you chose a domain certificate, the domain name might be
company01.acme.com, where company01 is the name of your virtual portal.
5 Complete the rest of the fields.
These fields are optional.
6 Click Generate.
A keypair is generated and stored on the portal.
The Download a certificate request screen appears.
7 Click Download.
The certificate request file certificate.req is downloaded to your computer.
4 Generate a Certificate Signing Request for Your Domain
10 CTERA Portal Datacenter Edition Installing a Security Certificate on the CTERA Portal
The Settings > SSL Certificate page's Certificate Request area indicates that the certificate
request is pending.
If you issued a wildcard certificate request, the area appears as follows:
If you issued a domain certificate request, the area appears as follows:
Warning
When you generated the CSR, a private.key file was registered in the CTERA Portal. If you now generate a new CSR, it will override the existing private.key file, and signing the old CSR will result in an error message indicating that the CSR does not match the private.key file. Therefore, do not generate a new CSR before installing the signed certificate.
CTERA Portal Datacenter Edition Installing a Security Certificate on the CTERA Portal 11
1 Send the certificate.req file you generated to your certificate authority for signing.
If the request is successful, the certificate authority will send back an identity certificate
that is digitally signed with the certificate authority's private key.
Tip
The certificate authority should return a base-64 encoded identity certificate.
2 Open the identity certificate and verify that the Issued to field includes the DNS suffix you
provided upon creating the certificate request.
3 Build a certification chain from your identity certificate to your trusted root certificate.
In order to do this, you will need to obtain all of the intermediate certificates, as well as
your root certificate authority's self-signed certificate.
If you are using a well-known certificate authority, the intermediate certificates and the
root certificate authority's self-signed certificate can be downloaded from your certificate
authority website. If you are using your own internal certificate authority, contact the
necessary entity to provide you with the required intermediate and self-signed certificate.
5 Sign the Certificate Request
5 Sign the Certificate Request
12 CTERA Portal Datacenter Edition Installing a Security Certificate on the CTERA Portal
In the above example, the certificate was issued by "Go Daddy Secure Certification
Authority" to "*.ctera.com". In order to build the certification chain, it is necessary to
obtain a certificate issued to "Go Daddy Secure Certification Authority".
This certificate was issued by "Go Daddy Class 2 Certification Authority" to " Go Daddy
Secure Certification Authority". In order to continue the certification chain, it is necessary
to obtain a certificate issued to "Go Daddy Class 2 Certification Authority".
Since this last certificate is a self-signed certificate, (that is, it was issued to and by the
same entity), the certification chain is complete.
CTERA Portal Datacenter Edition Installing a Security Certificate on the CTERA Portal 13
1 Verify that none of the certificates in the certificate chain are corrupted or using invalid
encoding.
To do so, open each certificate in a program such as Notepad or Word, and verify that it
contains the following:
-------- BEGIN CERTIFICATE -------
CERTIFICATE CONTENT
-------- END CERTIFICATE -------
For example:
2 Change the identity certificate issued to "*.ctera.com" to certificate.crt.
3 Change the file extension of the other certificates in the certificate chain to "crt".
For example, certificate-name.crt .
6 Validate and Prepare Certificates for Upload
6 Validate and Prepare Certificates for Upload
14 CTERA Portal Datacenter Edition Installing a Security Certificate on the CTERA Portal
4 Archive all of the certificates (the identity certificate, the intermediary certificates, and
the root self-signed certificate) in a ZIP file called certificate.zip.
For example:
CTERA Portal Datacenter Edition Installing a Security Certificate on the CTERA Portal 15
1 Log in to the CTERA Portal using your Administrator account.
2 In the status bar, in the Portal drop-down list, select Administration.
The Global Administration View appears displaying the Main > Dashboard page.
3 In the navigation pane, click Settings > SSL Certificate.
4 Click Install Signed Certificate.
The Upload Certificate Wizard opens.
5 Click Upload and browse to the certificate.zip file you created.
The certificate is installed on the CTERA Portal.
6 Click Finish.
7 Update the certificate on the Web server, by opening an SSH session to all of the servers
in your CTERA Portal deployment and running the following command:
ctera-portal-manage.sh restart
CTERA Portal services are restarted.
7 Install the Signed Certificate on CTERA Portal
7 Install the Signed Certificate on CTERA Portal
16 CTERA Portal Datacenter Edition Installing a Security Certificate on the CTERA Portal
8 Verify that the certificate updated successfully, by browsing to your CTERA Portal.
You should receive no security exception messages.