Installing a TLS Certificate
  • 15 Aug 2022
  • 5 Minutes to read
  • Dark
    Light
  • PDF

Installing a TLS Certificate

  • Dark
    Light
  • PDF

Perform the following steps to install a certificate on CTERA Portal:

  1. Note the Portal's DNS Suffix
  2. Obtain a TLS Certificate
  3. Generate a Certificate Signing Request
  4. Sign the Certificate Request
  5. Validate and Prepare Certificates for Upload
  6. Install the Signed Certificate on CTERA Portal

Note the Portal's DNS Suffix

Note the CTERA Portal's DNS suffix so that you have it for later steps.

To view your portal's DNS suffix:

  1. In the global administration view, select Settings in the navigation pane.
  2. Select Global Settings under SETTINGS in the Control Panel page.
    The Global Settings window is displayed.
    image.png
  3. The DNS Suffix field displays the CTERA Portal's DNS suffix.

Obtain a TLS Certificate

It is necessary to obtain a valid certificate for production services signed either by a well-known certificate authority or by your own internal certificate authority.

Note

You can connect with a device to the portal using a dummy certificate. Using a dummy certificate is recommended for testing purposes only and user confirmation is required upon every attempt to connect to the portal in order to proceed with the connection.

The TLS certificate can be either of the following:

  • A wildcard certificate
    A wildcard TLS certificate secures your website's URL and an unlimited number of its subdomains. For example, a single wildcard certificate for *.example.com can secure both company01.example.com and company02.example.com
    A wildcard certificate is mandatory if you plan for your service to consist of more than one virtual portal.
  • A domain certificate
    A domain certificate secures a single domain or subdomain only. For example: company01.example.com
    This option is relevant if you are planning to provision a single virtual portal only.
    Note

    CTERA Portal also supports certificates with Subject Alternative Names (SAN certificates). This option enables you to secure multiple domain names with a single certificate.

Generate a Certificate Signing Request

The next step is to generate a certificate signing request (CSR) for your domain using CTERA Portal. This requires a CTERA Portal Administrator account.

Warning

CTERA Portal generates a built-in certificate that is not suitable for production. This certificate is valid for testing purposes only, as it is not signed by a well-known certificate authority.

To generate a certificate signing request for your domain:

  1. In the global administration view, select Settings in the navigation pane.
  2. Select SSL Certificate under SETTINGS in the Control Panel page.
    The SSL Certificate window is displayed.
    image.png
  3. Click REQUEST CERTIFICATE.
    The Create a Certificate Request window is displayed.
    image.png
  4. Specify the following mandatory field:
    Domain Name – The domain name for which you would like to request a certificate.
    The value entered must match the type of certificate you chose to use. For example, if you chose a wildcard certificate, the domain name might be *.ctera.com. If multiple virtual portals are configured, each virtual portal has its own DNS name and the TLS certificate should be a wildcard certificate.
    If you have only one portal, and do not intended to configure multiple virtual portals, then it is sufficient to purchase a regular TLS certificate and not a wildcard certificate.
    To request a certificate that specifies multiple alternative names, enter the multiple names in this field, separated by semicolons. The certificate will include the subjectAltName certificate extension.
  5. You can also specify the following optional fields:
    Organizational Unit – The name of your organizational unit.
    Organization – The name of your organization.
    City – Your city.
    State – Your state.
    Country – Your country.
  6. Click GENERATE.
    A key pair is generated and stored on the portal and the Download a certificate request screen is displayed.
    image.png
  7. Click DOWNLOAD.
    The certificate request file certificate.req is downloaded to your computer.
  8. Click CLOSE.
    The SSL Certificate window Certificate Request area indicates that the certificate request is pending.
    image.png
Warning

When you generated the CSR, a private.key file was registered in the CTERA Portal. If you now generate a new CSR, it will override the existing private.key file, and signing the old CSR will result in an error message indicating that the CSR does not match the private.key file. Therefore, do not generate a new CSR before installing the signed certificate.

Sign the Certificate Request

To sign the certificate request:

  1. Send the ‘certificate.req‘ file you generated to your certificate authority for signing.
    If the request is successful, the certificate authority will send back an identity certificate that is digitally signed with the certificate authority's private key.
    Note

    The certificate authority should return a base-64 encoded identity certificate.

  2. Open the identity certificate and verify that the Issued to field includes the DNS suffix you provided upon creating the certificate request.
    image.png
  3. Build a certification chain from your identity certificate to your trusted root certificate.
    In order to do this, you will need to obtain all of the intermediate certificates, as well as your root certificate authority's self-signed certificate.
    If you are using a well-known certificate authority, the intermediate certificates and the root certificate authority's self-signed certificate can be downloaded from your certificate authority website. If you are using your own internal certificate authority, contact the necessary entity to provide you with the required intermediate and self-signed certificate.

Validate and Prepare Certificates for Upload

To validate and prepare certificates for upload:

  1. Verify that none of the certificates in the certificate chain are corrupted or using invalid encoding.
    To do so, open each certificate in a program such as Notepad or Word, and verify that it contains the following:
-------- BEGIN CERTIFICATE -------
<CERTIFICATE CONTENT>
-------- END CERTIFICATE -------
  1. Rename the identity certificate issued to "*.ctera.com" to certificate.crt
  2. Change the file extension of the other certificates in the certificate chain to "crt".
    For example, certificate-name.crt
  3. Archive all of the certificates – the identity certificate, the intermediary certificates, and the root self-signed certificate – in a ZIP file called certificate.zip

Install the Signed Certificate on CTERA Portal

If you have a valid signed certificate, install it and replace the built-in certificate.

  1. In the global administration view, select Settings in the navigation pane.
  2. Select SSL Certificate under SETTINGS in the Control Panel page.
    The SSL Certificate window is displayed. The Certificate Request area indicates that the certificate request is pending.
    image.png
  3. Click INSTALL SIGNED CERTIFICATE.
    The Upload Certificate window is displayed.
    image.png
  4. Click Upload and browse to the file you created.
    All the certificates in the certificate chain must be present in the ZIP file in Base-64 encoded X.509 format, and each file must have a .crt extension.
  5. Click FINISH.
    The certificate is installed on CTERA Portal.
  6. Restart all the CTERA Portal servers. See Restarting a Server.
  7. Browse to your CTERA Portal and verify that the certificate updated successfully.
    You should not receive any security exception messages.

Was this article helpful?