Installing Certificates
Background
All appliances automatically generates self-signed certificates which works perfectly for testing, evaluating and possibly for limited deployments. For production systems, you'd want to generate a “proper”, CA-signed certificate for your appliance.
When creating CA-signed certificates, there are a couple of steps
- Generate the Private Key
- Generate a Certificate Signing Request
- Install the Certificate and possibly the Certificate Chain on the server
If you only want to install a certificate for demo/test purposes, it's recommended to use a RapidSSL Free 30 day certificate.
Generate the Private Key
The private key will only need to be generated once and will only be re-generated if it ever becomes compromised. When the system boots for the first time, it will automatically generate a private key.
Generate a Certificate Signing Request
This is handled in the appliances from System → Certificates → Generate CSR and where you get to fill out Country, State, City, Organisation, Organisation Unit and Common Name. From a technical point of view, the only critical value is the Common Name. This needs to match to DNS hostname, and the hostname for the server you're using for the appliance. So if you want your users to browse to https://mailserver.example.com, the Common Name (CN) needs to be mailserver.example.com.
When you hit generate, you will get a paragraph like:
-----BEGIN CERTIFICATE REQUEST----- MIIBqzCCARQCAQAwazELMAkGA1UEBhMCU0UxEjAQBgNVBAgTCVN0b2NraG9sbTES MBAGA1UEBxMJU3RvY2tob2xtMRowGAYDVQQKExFBbGxhcmQgQ29uc3VsdGluZzEY MBYGA1UEAxMPdHV2b2suYWxsYXJkLm51MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQDmnjOzpz+BJPGO87yJUr8H3wU5b/mmRY4UJxgUQ7WMiRCYwag/bqxO29zR Wb77H/SNTLCbLoXrXvz6VEgKw4U/6RlDYpK5HI3qjDoEBzlfBVtcAGgcm9R4FPhx bXs39XhYXieMC8XDnNM+y0wnMhbzWPiFdHDKLM38013+Q6BJXQIDAQABoAAwDQYJ KoZIhvcNAQEEBQADgYEAp5JK0xsFP/b41Pb8+Qr/9xRFXIycS2Er9vW5vnjUxaHH Jlvuv0QZi6o3BF6N5o4rFiHrQta1gny6imu9Pv1kUC/aFq9d1AKWUc64kGDpXvJH r/svdu2+wNGirGfGoe+j1weAdAAKIvTlMz9lpn5gpMMcPDrxXziiaZULgfFwhkk= -----END CERTIFICATE REQUEST-----
This is what you send to your Certificate Authority.
Installing the Certificate in the appliance
When installing Certificates in any of the appliances, you will be presented with this section under System → Certificates → Upload.
In the Certificate & Certificate Chain section, you paste to certificate paragraph that you've got back from the Certificate Authority.
In the Private Key section, if you have followed the guidelines here, you must not change this. This is the private key that matches the Certificate. If you have generated the key, and the Certificate Signing Request somewhere else, you need to paste the key which you used when you generated the Certificate Signing Request.
If your certificate requires a subordinates of another Certificate Authorities, please add all intermediate certificates after your certificate in the Certificate section.