Installing a TLS Certificate

Perform the following steps to install a certificate on CTERA Portal:

1. Note the Portal's DNS Suffix
2. Obtain a TLS Certificate
3. Generate a Certificate Signing Request
4. Sign the Certificate Request
5. Validate and Prepare Certificates for Upload
6. Install the Signed Certificate on CTERA Portal

Note the Portal's DNS Suffix

Note the CTERA Portal's DNS suffix so that you have it for later steps.

To view your portal's DNS suffix:

1. In the global administration view, select Settings in the navigation pane.
2. Select Global Settings under SETTINGS in the Control Panel page.
   The Global Settings window is displayed.
   
3. The DNS Suffix field displays the CTERA Portal's DNS suffix.

Obtain a TLS Certificate

It is necessary to obtain a valid certificate for production services signed either by a well-known certificate authority or by your own internal certificate authority.

The TLS certificate can be either of the following:

• A wildcard certificate
  A wildcard TLS certificate secures your website's URL and an unlimited number of its subdomains. For example, a single wildcard certificate for *.example.com can secure both company01.example.com and company02.example.com
  A wildcard certificate is mandatory if you plan for your service to consist of more than one virtual portal.
• A domain certificate
  A domain certificate secures a single domain or subdomain only. For example: company01.example.com
  This option is relevant if you are planning to provision a single virtual portal only.
  Note

  CTERA Portal also supports certificates with Subject Alternative Names (SAN certificates). This option enables you to secure multiple domain names with a single certificate.

Generate a Certificate Signing Request

The next step is to generate a certificate signing request (CSR) for your domain using CTERA Portal. This requires a CTERA Portal Administrator account.

To generate a certificate signing request for your domain:

1. In the global administration view, select Settings in the navigation pane.
2. Select SSL Certificate under SETTINGS in the Control Panel page.
   The SSL Certificate window is displayed.
   
3. Click REQUEST CERTIFICATE.
   The Create a Certificate Request window is displayed.
   
4. Specify the following mandatory field:
   Domain Name – The domain name for which you would like to request a certificate.
   The value entered must match the type of certificate you chose to use. For example, if you chose a wildcard certificate, the domain name might be *.ctera.com. If multiple virtual portals are configured, each virtual portal has its own DNS name and the TLS certificate should be a wildcard certificate.
   If you have only one portal, and do not intended to configure multiple virtual portals, then it is sufficient to purchase a regular TLS certificate and not a wildcard certificate.
   To request a certificate that specifies multiple alternative names, enter the multiple names in this field, separated by semicolons. The certificate will include the subjectAltName certificate extension.
5. You can also specify the following optional fields:
   Organizational Unit – The name of your organizational unit.
   Organization – The name of your organization.
   City – Your city.
   State – Your state.
   Country – Your country.
6. Click GENERATE.
   A key pair is generated and stored on the portal and the Download a certificate request screen is displayed.
   
7. Click DOWNLOAD.
   The certificate request file certificate.req is downloaded to your computer.
8. Click CLOSE.
   The SSL Certificate window Certificate Request area indicates that the certificate request is pending.
   

Sign the Certificate Request

To sign the certificate request:

1. Send the ‘certificate.req‘ file you generated to your certificate authority for signing.
   If the request is successful, the certificate authority will send back an identity certificate that is digitally signed with the certificate authority's private key.
   Note

   The certificate authority should return a base-64 encoded identity certificate.

2. Open the identity certificate and verify that the Issued to field includes the DNS suffix you provided upon creating the certificate request.
   
3. Build a certification chain from your identity certificate to your trusted root certificate.
   In order to do this, you will need to obtain all of the intermediate certificates, as well as your root certificate authority's self-signed certificate.
   If you are using a well-known certificate authority, the intermediate certificates and the root certificate authority's self-signed certificate can be downloaded from your certificate authority website. If you are using your own internal certificate authority, contact the necessary entity to provide you with the required intermediate and self-signed certificate.

Validate and Prepare Certificates for Upload

If you received certificates with a DER suffix, using SSH, log in as root to the server and in the command line, run the following command to convert it to a PEM suffix: openssl x509 -inform der -in certificate_name.cer -out certificate.cer

To validate and prepare certificates for upload:

1. Verify that none of the certificates in the certificate chain are corrupted or using invalid encoding.
   • Open each certificate in a program such as Notepad or Word, and verify that it contains the following:

     -----BEGIN CERTIFICATE-----
     ...certificate_content...
     -----END CERTIFICATE-----
     

2. Change the identity certificate issued to *.ctera.me to certificate.crt
3. Change the file extension of the other certificates in the certificate chain to crt
   For example, certificate-name.crt
4. Archive all of the certificates, the identity certificate, the intermediary certificates, and the root self-signed certificate, in a ZIP file called certificate.zip.

Install the Signed Certificate on CTERA Portal

Once you have obtained a TLS certificate you must install it on CTERA Portal. The certificate must match the pending certificate request and keypair.

To install a TLS certificate:

1. In the global administration view, select Settings in the navigation pane.
   The Control Panel page is displayed.
2. Select SSL Certificate under SETTINGS in the Control Panel page.
   The SSL Certificate window is displayed. The Certificate Request area indicates that the certificate request is pending.
   
3. Click INSTALL SIGNED CERTIFICATE in the Certificate Request area of the TLS Certificate window.
   The Upload Certificate window is displayed.
   
4. Click Upload and browse to the certificate.zip file you created. All the certificates in the certificate chain must be in the ZIP file in X.509 format, and each file must have a ".crt" extension.
   The certificate is installed on CTERA Portal.
   Note

   If you receive the following error: Caused by: java.lang.ClassCastException: class com.safelogic.cryptocomply.asn1.pkcs.PrivateKeyInfo cannot be cast to class org.bouncycastle.openssl.PEMKeyPair (com.safelogic.cryptocomply.asn1.pkcs.PrivateKeyInfo is in module ccj@3.0.0 of loader 'app'; org.bouncycastle.openssl.PEMKeyPair is in unnamed module of loader java.net.URLClassLoader @5ccd43c2) at com.ctera.security.CA.generateKeyStore(CA.java:427) do the following:

   1. Using SSH, log in as root to the server.
   2. In the command line, enter the following command `openssl rsa -in private.key -out <privateun.key>
      where privateun.key is the name of the private key.
   3. Use the private.key in the zip file created in Validate and Prepare Certificates for Upload.
5. Click FINISH.
6. Restart all the CTERA Portal servers. See Restarting a Server.
7. Browse to your CTERA Portal and verify that the certificate updated successfully.
   You should not receive any security exception messages.