At 16:47 I had finished the task I was working on, and next on the list was to set up a CA signed cert for use on a new piece of equipment. I made a joke to my colleage that I had 13 minutes to do it before end of my day.
I had to generate a CSR, submit to the CA, download and import the signed cert from the CA into the appliance.
At 16:58 I was finished ;)
Here's the brief steps:
- log in to the appliance and run the cert-gen CLI (from the vague documentation). I was a bit confused about their document, so I tried to enter the command without any switches / variables expecting an error with some CLI context help. Instead I got a CSR printed to the screen
- Copy CSR to a file in the secure area in case it's needed in the future
- Log into the CA, click new cert, paste CSR into the CA CSR box and give the FQDN hostname of the appliance I need to secure and Click submit
- Click download to get the zip file with the certs: root/intermediate/signed-cert
- unzip the file
- in the appliance, follow the vague document to import the CA root/intermediate certs. It did not specify how to import the certs individually, so I opened both the ROOT and Intermediate certs with notepad++, copied the Intermediate cert and pasted it underneath the ROOT cert in notepad++ and left the ----START and ----END lines in tact
- went back to the appliance and entered the CLI command to import the CA cert, and it asked me to paste it in. I then pasted the whole lot as described above - no errors
- in the appliance, entered the command to import the CA signed cert and I received a prompt to paste it in. I opened the cert in notepad++ and pasted it in
- received a message that it's all good and HTTPS would be restarting
- waited a few seconds then visited my FQDN and see a nice green Padlock icon
That. Easy.
I remember I used to always struggle with certs but if only someone had explained to me how it works I wouldn't have struggled at all - it's easy.
1. So you get a CSR done. which creates a private key and the CSR contains the public key of this (can create a CSR anywhere, off-box etc but you need to get that private key installed on the destination box. So it's usually easier to get the box you need to secure to make the CSR for this reason, I've found)
2. With the CSR, go to your CA and provide it there. You might need to do other things depending on the CA. On the CA I use, they simply only ask for the CSR and the FQDN(s). I'm allowed to specify up to 5 FQDNs
3. After submitting and all is good / approved you receive your signed-cert and any root/intermediate certs (need all certs installed on the box to form the cert-chain)
4. Now on the box, in the "cert-trust-store" you need to upload / install all root and intermediate certs in the chain into this "trust" area
5. After completing point 4. you now need to upload or install the signed-cert that will be used by the browser
6. depending on the box you might now need to go to the HTTPS management and select the cert you just uploaded to be actively used
7. done!
It's as easy as 1,2,3,4,5,6 :p
I love self-service SSL cert generation. :)
It's great and because it's *free* I'm putting them everywhere :)
Just remember, they only work for people with the root and intermediate cert from that CA installed.
Yep - since it's an internet CA that's no problem.