Security: Managing TLS Certificates
The following describes how to renew a TLS certificate. Renewing the TLS certificate may be required to meet your company's security rules. For example, to remove the security warning in the address bar of the browser.
Managing TLS certificates includes the following steps.
Create and Download a New CSR
Your first step for renewing a TLS certificate is to create a new CSR (Certificate Signing Request).
- Log in to your Software Appliance and open the Security page.
- In the TLS CERTIFICATES section, click Create New CSR to open the corresponding form.
Select the Key Algorithm.
- EC prime256v1 (default)
- RSA 4096
- RSA 3072
- RSA 2048
Add Domains. You can enter any IPv4 or IPv6 address. The field also supports any domain name as well as wildcard domains.
- Optionally specify the State/Province (ST) with Country (C), the Locality (L), and the Organization (O) that you want to add to the CSR.
- Click Create CSR to confirm your entries and create the CSR. The TLS Certificates list displays a line for the certificate awaiting issuance.
- In this line, click Download CSR to download and save the new CSR:
You can now proceed with creating a new certificate.
Create and Download the TLS Certificate
You can use your Certificate Authority (CA) in EJBCA to create a new certificate and download it.
The following describes the basic steps for making a certificate request and issue a certificate using the EJBCA RA user interface.
Note that the options available depends on your role, and when there is only one choice available and thus no selection to be made, the option is not displayed on the page. To view these predefined options, click Show details in the bottom-right of each section. For more information, refer to the EJBCA Documentation on Creating Certificates on the RA.
To create and download the TLS certificate in EJBCA, do the following:
- Click Overview in the Software Appliance.
- In the Application Overview, select Admin Web to go to EJBCA.
- In EJBCA, select the RA Web menu option.
- In the EJBCA RA UI, click Make New Request.
- In the Select Request Template Certificate subtype field, select Server.
- Select the Key-pair generation option Provided by user to use the CSR to issue a new certificate using your trusted CA.
- Click Browse under Upload CSR and select the PEM file downloaded in step Create and Download a New CSR.
- Scroll down to Provide User Credentials and specify a Username.
- Click Download PEM full chain to issue the certificate and click Save to store the file.
You can create a new certificate using the Certificate Authority (CA) of your organization's choice. The following example describes the basic steps for making a certificate request and issue a certificate using the EJBCA CA. For more information, see EJBCA Documentation.
To create and download the TLS certificate in EJBCA, do the following:
- In EJBCA, select the RA Web menu option.
- In the EJBCA RA UI, click Make New Request.
- In the Select Request Template Certificate subtype field, select Server.
- Select the Key-pair generation option Provided by user to use the CSR to issue a new certificate using your trusted CA.
- Click Browse under Upload CSR and select the PEM file downloaded in step Create and Download a New CSR.
- Scroll down to Provide User Credentials and specify a Username.
- Click Download PEM full chain to issue the certificate and click Save to store the file.
For more information, refer to the EJBCA Documentation on Creating Certificates on the RA.
Next, to activate the new certificate, see Upload and Activate the TLS Certificate.Certificate Rules
The Software Appliance will check the new certificate against the following rules:
- All domains in the certificate must match the ones in the generated CSR.
- The public key of the certificate must match with the public key of the CSR.
- The certificate chain of the certificate must be correct.
- The certificate must have the digitalSignature flag set for KeyUsage.
- The Extended Key Usage of the certificate must include server authentication.
Upload and Activate the TLS Certificate
The following describes how to activate the new certificate in the user interface of the Software Appliance:
- Log in to your Software Appliance and open the Security page.
In the section TLS CERTIFICATES, click Upload Certificate for the certificate that is waiting for issuance:
- Select and upload the newly created TLS certificate.
The option Activate Certificate appears. Click to activate the new certificate. The former certificate becomes inactive: