The Certificate is associated with the Private key created or imported in Configuring a Virtual Server on page 160. The certificate configuration involves one of the following steps:
Import an existing, signed and valid, certificate from a Certificate Authority.
Create a Certificate Request which is then exported from the Maestro AFE and sent to a Certificate Authority for validation. The signed certificate received from the Certificate Authority is then imported into the Maestro AFE.
Create a “self-signed” certificate. This certificate is not validated by a Certificate Authority and should typically be used only for testing purposes. Clients accessing accelerated servers using a “self-signed” certificate will receive a security message from their browser.
When an SSL client receives a certificate from a server, it checks the Certificate Authority (CA) that authorized the certificate and if that CA is trusted, then the certificate itself can be trusted. Servers may also send the client a Certificate Chain which is essentially a series of certificates. A Chained Certificate allows SSL hierarchies to be conveyed from a server to a client. In a Chained Certificate, the first certificate is always that of the sender itself (i.e. the server). The second certificate is of the CA that authorized the sender’s certificate. The third certificate is of the CA that authorized the second certificate, and so on. As long as the client can validate the last certificate in the chain, the entire chain is trusted.
The Maestro AFE supports both individual certificates and chained certificates without any special configuration.
Importing or Creating a Certificate
To import a certificate from the CLI Command Syntax
ssl certificate name key-name {export | import} name
Prompt level - Configure Example commands:
config>ssl certificate Certificate-1 Key-1 import Cert.pem To import a certificate from the GUI
1. Once logged in through the GUI, click on the Configuration button on the left panel.
Figure 67: Importing a Certificate
The Add New Certificate window will be displayed.
3. Even though a certificate will be imported, all fields should still be filled out. If any of the field values are different than those in the actual certificate, they will be
overwritten by the correct values from the imported certificate. Make sure the key name specified is the correct key which will correspond with the certificate to be imported.
4. Do not check the “Self Signed” box. Click Apply.
The Maestro AFE will automatically log in and download the file based on the FTP information configured for the ftp-record command.
To create a certificate request from the CLI
The following command generates a new interactive certificate request which is exported to the ftp server and directory specified in ftp-record. Once the command is issued, the user will be prompted to answer a series of questions regarding the Certificate to be requested.
Before a certificate request can be created, a key must be created as discussed in Importing or Creating a Private Key on page 160.
Command Syntax
ssl certificate name key-name [export-name]
Prompt level - Configure Example commands:
config>ssl certificate Certificate-1 Key-1 export Request.pem Output:
Enter Subject Country (2 characters): US Enter Subject State: CA
Enter Subject Locality: “San Jose”
Enter Subject Org: “Sample, Co.”
Enter Subject Common: www.sample.com
Enter Subject Email address: [email protected] Use quotation marks for values which contain spaces.
To create a certificate request from the GUI
Before a certificate request can be created, a key must be created as discussed in Importing or Creating a Private Key on page 160.
1. Once logged in through the GUI, click on the Configuration button on the left panel.
2. In the Topology window, expand the Services icon by clicking the + symbol then expand the SSL icon. Click on the Certificate icon and click the New button.
3. The Add New Certificate window will be displayed.
Figure 69: Creating a Certificate Request – Add New Certificate 1
4. Specify a name for the certificate, the associated Key name for the key created in the previous step. Complete the subject information.
5. Do not check the “Self Signed” box. Click Apply.
7. Check the Export box, and provide the file name of the Certificate Request and click Apply. The Maestro AFE will automatically log in and upload the file based on the FTP information configured for the ftp-record command.
The Certificate Request should then be retrieved from the FTP server and submitted to a Certificate Authority for validation.
Once a signed and valid certificate has been received from the Certificate Authority, it should be placed on the FTP server and uploaded to the Maestro AFE.
8. To upload the certificate, click on the Certificate Name created in the previous step under Services Æ SSL Æ Certificates.
9. Check the Import box, and provide the file name of the certificate to be uploaded.
Click Apply.
To create a self-signed certificate from the CLI
A self-signed certificate is not validated by a Certificate Authority and should typically be used only for testing purposes. Clients accessing accelerated servers using a self-signed certificate will receive a security message from their browser.
Command Syntax
ssl certificate name key-name self-signed export export-file-name
Prompt level - Configure Example commands:
config>ssl certificate Certificate-1 Key-1 self-signed export cert-1.pem
To create a self-signed certificate from the GUI
Before a self-signed certificate can be created, a key must be created as discussed in Importing or Creating a Private Key on page 160.
1. Once logged in through the GUI, click on the Configuration button on the left panel.
2. In the Topology window, expand the Services icon by clicking the + symbol then expand the SSL icon. Click on the Certificate icon and click the New button.
3. The Add New Certificate window will be displayed.
Figure 71: Creating a Certificate Request – Add New Certificate 2
4. Specify a name for the certificate, the associated Key name for the key created in the previous step. Complete the subject information.
5. Check the Self Signed box and specify the number of days the certificate should be valid. Click Submit.