Installing Certificates

All appliances automatically generates self-signed certificates which works for testing and evaluating. For production systems, you'd want to generate a “proper”, CA-signed certificate for your appliance.

When creating CA-signed certificates, there are a couple of steps

1. Generate the Private Key
2. Generate a Certificate Signing Request
3. Install the Certificate and possibly the Certificate Chain on the server

If you only want to install a certificate for demo/test purposes, it's recommended to use a RapidSSL Free 30 day certificate.

The private key will only need to be generated once and will only be re-generated if it ever becomes compromised. When the system boots for the first time, it will automatically generate a private key.

This is handled in the appliances from System → Certificates → Generate CSR and where you get to fill out Country, State, City, Organisation, Organisation Unit and Common Name. From a technical point of view, the only critical value is the Common Name. This needs to match to DNS hostname you're using for the appliance. So if you want your users to browse to https://filetransfer.example.com, the Common Name (CN) needs to be filetransfer.example.com.

When you hit generate, you will get a paragraph like:

-----BEGIN CERTIFICATE REQUEST-----
MIIBqzCCARQCAQAwazELMAkGA1UEBhMCU0UxEjAQBgNVBAgTCVN0b2NraG9sbTES
MBAGA1UEBxMJU3RvY2tob2xtMRowGAYDVQQKExFBbGxhcmQgQ29uc3VsdGluZzEY
MBYGA1UEAxMPdHV2b2suYWxsYXJkLm51MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDmnjOzpz+BJPGO87yJUr8H3wU5b/mmRY4UJxgUQ7WMiRCYwag/bqxO29zR
Wb77H/SNTLCbLoXrXvz6VEgKw4U/6RlDYpK5HI3qjDoEBzlfBVtcAGgcm9R4FPhx
bXs39XhYXieMC8XDnNM+y0wnMhbzWPiFdHDKLM38013+Q6BJXQIDAQABoAAwDQYJ
KoZIhvcNAQEEBQADgYEAp5JK0xsFP/b41Pb8+Qr/9xRFXIycS2Er9vW5vnjUxaHH
Jlvuv0QZi6o3BF6N5o4rFiHrQta1gny6imu9Pv1kUC/aFq9d1AKWUc64kGDpXvJH
r/svdu2+wNGirGfGoe+j1weAdAAKIvTlMz9lpn5gpMMcPDrxXziiaZULgfFwhkk=
-----END CERTIFICATE REQUEST-----

This is what you send to your Certificate Authority.

When installing Certificates in any of the appliances¹⁾, you will be presented with this section under System → Certificates → Upload.

In the Certificate section, you paste to certificate paragraph that you've got back from the Certificate Authority.

In the Private Key section, if you have followed the guidelines here, you must not change this. This is the private key that matches the Certificate. If you have generated the key, and the Certificate Signing Request somewhere else, you need to paste the key which you used when you generated the Certificate Signing Request.

Sometimes you need to enter a Certificate Chain. This is used for some Certificate Authorities which are subordinates of another Certificate Authority. A very common, and cheap, Certificate Authority is Godaddy with their TurboSSL certificates. Godaddy does not have their Root Certificate in any browser. Instead, they are a subordinate of another Certificate Authority which has their Root Certificate in all browsers. So to make this work (and not get the Certificate warning message in your browser) you will have to use the contents of the gd_bundle.crt for Apache from https://certs.godaddy.com/Repository.go. This will tell the browser when you connect to the appliance how to verify the certificate to the proper Root Certificate.

If you need to enter a Certificate chain, please upload that in the Certificate section, after the certificate paragraph to you got back from the Certificate Authority. So to clarify, both the certificate and the certificate chain goes in the Certificate section.