Add Certificates

These steps to add certificates to your live and test environments.

14.6.1 Add Certificate for Default Website

Use these steps to add a certificate to use for Default Website in your live or test environment.

1. On your server machine, navigate to IIS Manager.

2. Expand the [ARRServerName] > Sites node. Right-click the Default Web Site node and select the Edit Bindings option.

3. In the Site Bindings dialog, select the https type.

4. Click the Edit button. On the Edit Site Binding dialog, select the IP address for the site binding. 5. In the Port field, enter a port for the connection. For example, enter 443.

6. Enter the Host name for the server.

7. If you need, select the Require Server Name Indication check box.

8. From the SSL Certificate drop-down list, select the IP address that will use the certificate. 9. Click the Select button.

10. The available certificates display in the Select Certificate dialog. Notice you can also search for certificates.

Select the certificate you want to use and click OK.

11. Click OK in the Edit Site Binding dialog. The default web site for the ARR Server now uses the valid certificate

you selected.

If you are setting up your live environment, your system is now load balanced using Application Request Routing. However if you are using self-signed certificates in your test environment, you need to complete the additional tasks described in the next section.

14.6.2 Add Self-Signed Certificates (Test Environment)

Use these steps to add self-signed certificates to your test environment.

To use self-signed certificates in your test environment, the certificates on the ARR Server need to be exported. You then import these certificates into the client machines

1. Export the self-signed certificate from the ARR Server.

Important You can only export public key certificates (.cer files). Do not distribute self-signed

certificates with private keys (.pfx files) between clients.

a. On your server machine, launch the IIS Manager. b. From ARR Server, select Server Certificates.

c. In the center pane of the Server Certificates dialog, right-click the self-signed certificate you wish to export and select the Export option.

d. In the Export Certificate dialog, indicate the directory path where you want to export the self-signed certificate. Click the Browse (…) button next to the Export to field.

e. In the Specify save as file name dialog, navigate to the directory path and folder you want to contain the export file.

f. Enter a file name for the self-signed certificate.

g. For the file type, select the *.* wildcard option. Click Open.

h. Enter a Password and then enter this password again in the Confirm Password field. Click OK. The self-signed certificate (.cer file) is exported to your selected directory file location.

2. Import the self-signed certificate from the ARR Server into the Local Computer store on the client machines.

This creates a secure connection between the client machines and the ARR Server in your test environment. a. On your client machine, from Control Panel, launch the Certification Manager.

b. In the tree view, expand the Trusted People > Certificates node. Right-click the Certificates node and select the All Tasks > Import option.

c. The Welcome step of the Certificate Import Wizard explains the purpose of the wizard. Click Next. d. On the File to Import step, click the Browse (...) button to find and select the self-signed certificate

(.cer file). Click Next.

e. Enter a Password for the certificate and click Next. f. Review your selection and click Finish.

g. Repeat these steps on each client within your test environment.

3. Verify each client installation uses the correct connection to the server. To do this, update the .sysconfig file

used to launch the client.

a. Using your explorer, navigate to the config folder on your client installation. For example, C:\Epicor \[EpicorVersion]\Client\config.

b. Open the .sysconfig file in a text editor like Notepad. c. Update the following settings:

• If you use HttpsOffloadBinaryUserNameChannel, enter <AppServerURL value="https://[YourARRURL]" />

<EndpointBinding value="HttpsOffloadBinaryUserNameChannel" /> • If you use HttpsBinaryUserNameChannel, enter

<AppServerURL value="https://[ YourARRURL]" />

<EndpointBinding value="HttpsBinaryUserNameChannel" />

d. Save the .sysconfig file.

e. Now launch the Epicor client to verify it displays.

4. If you use the HttpsBinaryUserNameChannel protocol binding, you next create self-signed certificates on

each server machine. Because your test environment uses an HTTPS protocol, the system needs these certificates to ensure the security of the connection.

a. On your server machine, launch IIS Manager.

b. Create a self-signed certificate for the test environment. From the tree view, select the [YourServerName] node. Then from the middle pane, select Server Certificates.

c. In the Actions pane of the Server Certificates dialog, click the Create Self-Signed Certificate option. d. In the Specify a friendly name for the certificate field, enter a name for the test certificate. Be sure

this name easily identifies the purpose for the certificate.

e. Now select a certificate store for the self-signed certificate. Available options: • Personal

• Web Hosting

f. Click OK.

g. Repeat these steps for each server you want to load balance in your test environment.

5. Export the self-signed certificate you created on each server machine.

Important You can only export public key certificates (.cer files). Do not distribute self-signed

certificates with private keys (.pfx files) between clients.

a. In IIS Manager, from the [YourServerName] node, select Server Certificates.

b. In the center pane of the Server Certificates dialog, right-click the self-signed certificate you wish to export and select the Export option.

c. In the Export Certificate dialog, indicate the directory path where you want to export the self-signed certificate. Click the Browse (…) button next to the Export to field.

d. In the Specify save as file name dialog, navigate to the directory path and folder you want to contain the export file.

e. Enter a file name for the self-signed certificate.

f. For the file type, select the *.* wildcard option. Click Open.

g. Enter a Password and then enter this password again in the Confirm Password field. Click OK. The self-signed certificate (.cer file) is exported to your selected directory file location.

h. Repeat these steps for each server you want to load balance in your test environment.

6. Import the server certificates into the ARR Server. The ARR Server runs as a client machine to the servers,

so the ARR Server needs to trust these servers through a self-signed certificate. To do this: a. In IIS Manager, from the ARR Server, select Server Certificates.

b. In the Actions pane of the Server Certificates dialog, click Import.

c. In the Import Certificate dialog, either enter the Certificate name or click the Browse (…) button to find and select the exported certificate.

e. If you want to export this certificate again, select the Allow this certificate to be exported check box. Click OK.

f. Repeat these steps to import the server certificates for each server you wish to load balance.

Because the client machines are connected to the ARR Server, they do not need the certificates from the servers. The client machines instead trust the ARR Server's certificate, so these connections are secure.

Your test environment is now load balanced using Application Request Routing.