Creating TLS Server Side Certificate for Application Interface

This section describes how you check the currently used TLS certificate and how you use WebCof to create a new server TLS certificate for the Application Interface.

To check the currently used TLS certificate, proceed as follows:

  1. Open the Application Interface in the browser.
  2. Click the Padlock icon in the address bar of your browser and click More information:

    EJBCA TLS check
  3. On the Info page, go to the Security tab and click View Certificate:

    EJBCA TLS check certificate
  4. Various information about the certificate is displayed. For Common Name (CN), you will find the value node1-tls-app:

    EJBCA CN value for TLS

To create a new TLS server certificate for the Application Interface, proceed as follows:

  1. Open the tab Access > Server TLS certificates in WebConf.

  2. In the section Application Interface, click Generate new key pair.

    WebConf Access tab
  3. Click Create CSR to create a CSR.

    WebConf Create CSR
  4. Click Download CSR to download the CSR.

    WebConf Download CSR
  5. In the EJBCA Admin Web, go to RA Functions > Search End Entities.

  6. In the Search end entity with username field, enter tls_app and click Search.

    EJBCA Search End Entities
  7. In the Edit End Entity page, specify the following:

    • Status: Set to New
    • Password: Set to foo123
    • CN, Common name: Set to node1-tls-app-new
    • Token (section Main certificate data): Set to User Generated

    EJBCA Edit End Entity
  8. Navigate to the Public Web and click Create Certificate from CSR in the section Enroll.

    EJBCA Create Certificate from CSR
  9. In the Enroll page, specify the following and click OK:

    • Username: Set to tls_app
    • Enrollment code: Set to foo123
    • Request file: Click Browse and select the file appliance-app.csr.pem
    • Result type: Set to PEM - full certificate chain.

    EJBCA Enroll
  10. Save the PEM file with name node1tlsappnew.pem.

    EJBCA Save certificate chain
  11. Navigate to Access > Server side SSL/TLS configuration in Web Conf and click the Browse button for Next chain to upload the file node1tlsappnew.pem.
  12. Click the action Activate new cert to activate the certificate chain to the server. The procedure will take a while until the new TLS certificate will be active.

    WebConf: Activate certificate chain
  13. Confirm that the server is using the new certificate by refreshing the application pages and then trust the new connection when promped. The new certificate is displayed as shown in figure EJBCA TLS check.
  14. Verify the certificate used for the TLS connection and confirm that it is the new certificate with the new CN node1-tls-app-new.

    EJBCA TLS cert CN

This new TLS certificate will now be used each time you login to the application interface.