Sign Certificate by a Third-Party Authority
When self-signed certificates are not sufficient, you sign your certificate using a Third-Party Certificate Authority such as Verisign, Geotrust, or some other Internal Certificate Authority. The workflow to do this:
gateway83
When self-signed certificates are not sufficient, you sign your certificate using a Third-Party Certificate Authority such as Verisign, Geotrust, or some other Internal Certificate Authority. The workflow to do this:
Third-party-certificate-signing
Workflow steps:
- Submit the CSR to the Certificate Authority (CA).
- CA approves the CSR and sends back a public key and certificate chain.
Generate a Certificate Signing Request (CSR)
- Run Manage Private Keys.
- Select the certificate for which you are generating the CSR and then clickProperties.
- In the Private Key Properties, clickGenerate CSR.
- Enter theCSR Subject (DN). This must match the cluster hostname of the Gateways.
- ClickOKto save the CSR file to a specific location on your computer.
Submit the CSR file to the Certificate Authority.
Update the Gateway with the New Certificate
When the Certificate Authority approves your CSR, they will return a public key and a certificate chain for its signing authorities, including intermediaries and Root CAs. Sometimes, both the public key and the certificate chain are included in a single file.
- If you receive a single file, you can import this into the Gateway directly. Proceed to "Update the Gateway" below.
- If they are individual files, you must combine them into a single file manually. The certificates must be in this order in the file:client/server certificateintermediate Certificate Authority 1intermediate Certificate Authority 2root Certificate Authority
Combine Files (if necessary)
To combine individual files into a single file:
- Download the public key and certificate chain files from the Certificate Authority (CA) in PEM format.If the CA did not provide the files in PEM format, you can convert them as follows:a) Run Manage Certificates and import the certificates.b) Export the certificates in the PEM format.
- Open each file in a text editor and select the following sections in the order shown:
- Public key returned from the CA for the CSR submitted:-----BEGIN CERTIFICATE-----MIIDFzCCAf+gAwIBAgIIeyRBqnKDR5gwDQYJKoZIhvcNAQEMBQAwFzEVMBMGA1UEAxMMZXhhbXBsZWludGNhMB4XDTEyMDYyNTE4NDA0NloXDTE0MDYyNTE4NDA0NlowHjEcMBoGA1UEAxMTY2x1c3Rlci5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIouTRZX1P+fAysB...<snip>...JIQ3Cm/UcHlqzgP6R7FbTy9euI1zYiHk0uuV8i/ZDK4Gv7VAMf5MffIOV0dMNLwaFuFwVLepEvzUBD8wauCpcu1mYIE3PfO/1TnvoQrN/If46j2CizX5ojea6rxjYoqEdQWFVNvzHCLwOwc2wrN/LUi+nYxNkmyyeZfRIjwmHri4p3UxWJLcAWvIeWa1gBdLoghBJhmZ5AShppTq+AOXXDzv56R88EZ2-----END CERTIFICATE-----
- Each Intermediary CA and the Root CA:-----BEGIN CERTIFICATE-----MIIDDTCCAfWgAwIBAgIIG+NhXrXD+7QwDQYJKoZIhvcNAQEMBQAwFDESMBAGA1UEAxMJZXhhbXBsZWNhMB4XDTEyMDYyNTE4MzkxOFoXDTE0MDYyNTE4MzkxOFowFzEVMBMGA1UEAxMMZXhhbXBsZWludGNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlCHJff2FseL9NPdDX5l7SecLlGwt...<snip>...FYRnEJ+aEtmtGBugepcvpf66LB853r8Y2w1Q99tSfkPoMPDWcuRQyWM+H4OIm5jBj4NNIkQFsIXzFM92LzyP+GBRwBB06wk8xwJUggEoZlgMAcvV0t5aHND3LKd7F5khUR0HToPXSnrgsOwSvqL/nb8olWaC4NoyRXFjT3AcbXC9zK5W/tj36auhaqzH2EBp/nzqEu6BbFls32801Dw=-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIDETCCAfmgAwIBAgIJAL2efffStKM5MA0GCSqGSIb3DQEBDAUAMBQxEjAQBgNVBAMTCWV4YW1wbGVjYTAeFw0xMjA2MjUxODM4MzJaFw0xNzA2MjQxODM4MzJaMBQxEjAQBgNVBAMTCWV4YW1wbGVjYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJlwjzAfTKD5BqtZiNZjbLNSfU3tg2zL...<snip>...Sv3PVXaMNJ+XcHflj4JconiPk5VY0Pjs9dDBPPGsut5XTdooIGrp1I0/E8kkPGFvZ44yl06KgyE0FD7t316k9+eKWrdKwFC7BBoF4AusNBhfvdDlW0/uYEJ0WZc5rsxc1rJLIVAvCqWfc1mfPD48WcuGhV7WgXBBPAYMiSgCPL+R09DQ0P7lzUrqkmIO237lSoih04Azm1Eo0qIPnWBKH+jA-----END CERTIFICATE-----
- Combine all keys/certificates into a new file and save it with the .PEM extension.-----BEGIN CERTIFICATE-----MIIDFzCCAf+gAwIBAgIIeyRBqnKDR5gwDQYJKoZIhvcNAQEMBQAwFzEVMBMGA1UEAxMMZXhhbXBsZWludGNhMB4XDTEyMDYyNTE4NDA0NloXDTE0MDYyNTE4NDA0NlowHjEcMBoGA1UEAxMTY2x1c3Rl...<snip>...BD8wauCpcu1mYIE3PfO/1TnvoQrN/If46j2CizX5ojea6rxjYoqEdQWFVNvzHCLwOwc2wrN/LUi+nYxNkmyyeZfRIjwmHri4p3UxWJLcAWvIeWa1gBdLoghBJhmZ5AShppTq+AOXXDzv56R88EZ2-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIDDTCCAfWgAwIBAgIIG+NhXrXD+7QwDQYJKoZIhvcNAQEMBQAwFDESMBAGA1UEAxMJZXhhbXBsZWNhMB4XDTEyMDYyNTE4MzkxOFoXDTE0MDYyNTE4MzkxOFowFzEVMBMGA1UEAxMMZXhhbXBsZWlu...<snip>...FM92LzyP+GBRwBB06wk8xwJUggEoZlgMAcvV0t5aHND3LKd7F5khUR0HToPXSnrgsOwSvqL/nb8olWaC4NoyRXFjT3AcbXC9zK5W/tj36auhaqzH2EBp/nzqEu6BbFls32801Dw=-----END CERTIFICATE----------BEGIN CERTIFICATE-----MIIDETCCAfmgAwIBAgIJAL2efffStKM5MA0GCSqGSIb3DQEBDAUAMBQxEjAQBgNVBAMTCWV4YW1wbGVjYTAeFw0xMjA2MjUxODM4MzJaFw0xNzA2MjQxODM4MzJaMBQxEjAQBgNVBAMTCWV4YW1wbGVj...<snip>...FD7t316k9+eKWrdKwFC7BBoF4AusNBhfvdDlW0/uYEJ0WZc5rsxc1rJLIVAvCqWfc1mfPD48WcuGhV7WgXBBPAYMiSgCPL+R09DQ0P7lzUrqkmIO237lSoih04Azm1Eo0qIPnWBKH+jA-----END CERTIFICATE-----
- Verify that the new .PEM file is good:# openssl verify<new certificate file>.pemYou should see:<new certificate file>.pem: OK
- Validate the new certificate chain:# perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer"); print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm'<new certificate file>.pemThis displays output similar to the following:---subject= /CN=cluster.example.comissuer= /CN=exampleintca---subject= /CN=exampleintcaissuer= /CN=exampleca---subject= /CN=examplecaissuer= /CN=exampleca
Update the Gateway
Once you have combined all the files into a new certificate (or you received a single file from the CA), upload the combined certificate into the Gateway.
To update the Gateway:
- Run Manage Private Keys.
- Select the certificate from which you generated the CSR and then clickProperties.
- ClickReplace Certificate Chain.
- In the Assign Certificate to Private Key wizard, chooseImport from a Fileand then select the new certificate.
- After completing the wizard, restart the Gateway for the new certificate to take effect.