Installing a TLS Certificate

You can install a new signed certificate or import an existing signed certificate from another portal, described in Importing a TLS Certificate from Another Portal.

Perform the following steps to install a new signed certificate on CTERA Portal:

1. Note the Portal's DNS Suffix
2. Obtain a TLS Certificate
3. Generate a Certificate Signing Request
4. Sign the Certificate Request
5. Validate and Prepare Certificates for Upload
6. Install the Signed Certificate on CTERA Portal

Note the Portal's DNS Suffix

You need the CTERA Portal's DNS suffix for use in later steps.

To view your portal's DNS suffix:

1. In the global administration view, select Settings in the navigation pane.
   The Control Panel page is displayed.
   
2. Select Global Settings, under SETTINGS in the Control Panel page.
   The Global Settings window is displayed.
   
3. Note the CTERA Portal's DNS Suffix in the DNS Suffix field.

Obtain a TLS Certificate

It is necessary to obtain a valid certificate signed either by a well-known certificate authority, such as GoDaddy, or by your own internal certificate authority.

The SSL certificate can be either of the following:

• A wildcard certificate
  A wildcard SSL certificate secures your website URL and an unlimited number of its subdomains. For example, a single wildcard certificate for *.ctera.com can secure both company01.ctera.com and company02.ctera.com, which may be for virtual portals company01 and company02.
  A wildcard certificate is mandatory if you plan for your service to consist of more than one virtual portal.
• A domain certificate
  A domain certificate secures a single domain or subdomain only. For example: company01.ctera.com
  This option is relevant if you are planning to provision a single virtual portal only.

Generate a Certificate Signing Request

You need to generate a certificate signing request, CSR, for your domain. You can generate the CSR from within the CTERA Portal or externally. If you generate the CSR externally, convert the private key file to RSA(PKCS1) format.

To generate a certificate signing request for your domain via CTERA Portal:

1. In the global administration view, select Settings in the navigation pane.
   The Control Panel page is displayed.
2. Select SSL Certificate under SETTINGS in the Control Panel page.
   The SSL Certificate window is displayed.
   
   Note

   On installing the portal you have a trial license and self-signed certificate.

3. Click REQUEST CERTIFICATE.
   The Create a certificate request window is displayed.
   
4. In the Domain Name field, enter the domain name for which you want to request a certificate.
   The value entered must match the type of certificate you chose to use. For example, if you chose a wildcard certificate, the domain name might be *.example.com
   If you chose a domain certificate, the domain name might be company01.example.com, where company01 is the name of your virtual portal.
   If multiple virtual portals are configured, each virtual portal has its own DNS name. In this case, the TLS certificate should be a wildcard certificate with an asterisk before the DNS suffix, for example, *.example.com
   If you have only one portal, and do not intended to configure multiple virtual portals, then use a regular TLS certificate and not a wildcard certificate.
   To request a certificate that specifies multiple alternative names, type the multiple names in this field, separated by semicolons (;). The certificate will include the subjectAltName certificate extension.
5. Optionally, specify the following:
   Organizational Unit – The name of your organizational unit.
   Organization – The name of your organization.
   Email – Your email address.
   City – Your city.
   State – Your state.
   Country – Your country.
6. Click GENERATE.
   A keypair is generated and stored on the portal.
   The Download a certificate request window is displayed.
   
7. Click DOWNLOAD.
8. Click CLOSE.
   The certificate request file certificate.req is downloaded to your computer.
   The Certificate Request area of the SSL Certificate window indicates that the certificate request is pending.
   

Sign the Certificate Request

To sign the certificate request:

1. Send the certificate.req file you generated to your certificate authority for signing.
   If the request is successful, the certificate authority will send back an identity certificate that is digitally signed with the certificate authority's private key.
   Note

   The certificate authority must return a base-64 encoded identity certificate.

2. Open the identity certificate and verify that the Issued to field includes the DNS you provided upon creating the certificate request.
   
3. Build a certification chain from your identity certificate to your trusted root certificate.
   You need to obtain all of the intermediate certificates, as well as your root certificate authority's self-signed certificate.
   If you are using a well-known certificate authority, the intermediate certificates and the root certificate authority's self-signed certificate can be downloaded from your certificate authority website. If you are using your own internal certificate authority, contact the necessary entity to provide you with the required intermediate and self-signed certificate.
   In the above example, the certificate was issued by Go Daddy Secure Certification Authority to .ctera.me . To build the certification chain, obtain a certificate issued to Go Daddy Secure Certification Authority.
   
   To continue the certification chain, you must obtain a certificate issued to the same authority that the previous certificate was issued by. You continue the chain until the certification chain is complete, with the last certificate, which is a self-signed certificate, issued to and by the same entity.

Validate and Prepare Certificates for Upload

If you received certificates with a DER suffix, using SSH, log in as root to the server and in the command line, run the following command to convert it to a PEM suffix: openssl x509 -inform der -in certificate_name.cer -out certificate.cer

To validate and prepare certificates for upload:

1. Verify that none of the certificates in the certificate chain are corrupted or using invalid encoding.
   • Open each certificate in a program such as Notepad or Word, and verify that it contains the following:

     -----BEGIN CERTIFICATE-----
     ...certificate_content...
     -----END CERTIFICATE-----
     

2. Change the identity certificate issued to *.ctera.me to certificate.crt
3. Change the file extension of the other certificates in the certificate chain to crt
   For example, certificate-name.crt
4. Archive all of the certificates, the identity certificate, the intermediary certificates, and the root self-signed certificate, in a ZIP file called certificate.zip.

Install the Signed Certificate on CTERA Portal

Once you have obtained an SSL certificate you must install it on CTERA Portal. The certificate must match the pending certificate request and keypair.

To install aTLS certificate:

1. In the global administration view, select Settings in the navigation pane.
   The Control Panel page is displayed.
2. Select SSL Certificate under SETTINGS in the Control Panel page.
   The SSL Certificate window is displayed.
   
   The Certificate Request area of the SSL Certificatewindow indicates that the certificate request is pending.
   Note

   To cancel a pending request, for example, to make changes to the current certificate request, click Cancel Pending Request and click YES in the confirmation window that is displayed.
   The pending certificate request is canceled.

3. Click INSTALL SIGNED CERTIFICATE in the Certificate Request area of the SSL Certificate window.
   The Upload Certificate window is displayed.
   
4. Click Upload and browse to the certificate.zip file you created. All the certificates in the certificate chain must be in the ZIP file in X.509 format, and each file must have a ".crt" extension.
   Note

   If you receive the following error: Caused by: java.lang.ClassCastException: class com.safelogic.cryptocomply.asn1.pkcs.PrivateKeyInfo cannot be cast to class org.bouncycastle.openssl.PEMKeyPair (com.safelogic.cryptocomply.asn1.pkcs.PrivateKeyInfo is in module ccj@3.0.0 of loader 'app'; org.bouncycastle.openssl.PEMKeyPair is in unnamed module of loader java.net.URLClassLoader @5ccd43c2) at com.ctera.security.CA.generateKeyStore(CA.java:427) do the following:

   1. Using SSH, log in as root to the server.
   2. In the command line, enter the following command `openssl rsa -in private.key -out <privateun.key>
      where privateun.key is the name of the private key.
   3. Use the private.key in the zip file created in Validate and Prepare Certificates for Upload.
   The certificate is installed on CTERA Portal.
5. Click Open and then FINISH.
6. Restart all the CTERA Portal servers via the Main > Servers page. See Restarting and Shutting Down a Server. You can start the servers in any order.
7. Open the CTERA Portal.
   If the certificate update was successful, there won’t be any security exceptions.