Configuring HTTPS with a self-signed certificate - BlueCat Address Manager - 8.3.2

Address Manager Administration Guide

prodname
BlueCat Address Manager
version_custom
8.3.2

Configure HTTPS support using a self-signed SSL certificate generated by Address Manager.

Note: For usability and convenience, BlueCat recommends this method for configuring HTTPS.

To configure HTTPS support with a self-signed certificate:

  1. Select the Administration tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Administration page.
  2. Under User Management, click Secure Access.
  3. Under General, complete the following:
    • Select Server—by default, this is the IP address of a standalone Address Manager server. If running Address Manager in replication, use the drop-down menu to select the IP address of Primary or Standby Address Manager servers.
    • HTTP—from the drop-down menu, select either Enable, Disable, or Redirect to HTTPS.
      Note: Redirect to HTTPS
      Selecting Redirect to HTTPS will redirect users to HTTPS if they attempt to access Address Manager using HTTP. You must have HTTPS enabled to use Redirect to HTTPS.
      • If the Address Manager domain name is configured to resolve to an IPv6 address, enabling Redirect to HTTPS will redirect the domain name in the URL to an IPv6 address, resulting in an unknown certificate warning in your browser. For more information, refer to knowledge base article 5978 on BlueCat Customer Care.
    • HTTPS—from the drop-down menu, select Enable.
      Important: Disabling HTTPS

      You cannot disable HTTPS if HTTP is configured to redirect to HTTPS. For more information on disabling HTTP or HTTPS, refer to Disabling HTTP or HTTPS.

  4. Under Server Certificate Settings, select Self-Signed.
    Note: The self-signed certificate will be saved to the Address Manager database. If you need to upload or configure a custom SSL certificate, refer to Configuring HTTPS with custom certificates.
  5. Under Self-Signed Certificate, complete the following:
    • Days valid—the number of days the certificate will be valid (by default, 365).
    • Common Name—enter the DNS hostname of the Address Manager server.
    • Organization—enter the name of your organization.
    • Department—enter the name of your department or division.
    • City—enter the name of your city or municipality.
    • State/province (full name)—enter the full name of your state or province. Abbreviations will not be accepted.
    • Country Code (two letter code)—enter your country’s two letter country code according to the ISO 3166-1 alpha-2 standard. For example, US=United States, CA=Canada, GB=Great Britain, DE=Germany. The Country code must use capital letters.
    • Email Address—(optional) enter an email address.
    • Comment—(optional) enter necessary comments on the certificate or its parameters.
    • Key Size—from the drop down menu, select either 1024, 2048 (default), 4096, or 8192 bits. The greater the bit key size, the greater the complexity of encryption.
      Note: Key bit sizes

      As a best practice, BlueCat recommends using the default key size of 2048 bits. 1024 bit keys are no longer accepted for digital signatures by the National Institute of Standards and Technology (NIST) and should not be used to encrypt new self-signed or custom certificates. 1024 bit keys are in place only to support legacy certificates for customers upgrading from earlier versions of Address Manager.

    • Message Digest Algorithm—from the drop-down menu, select either sha256 (default), sha384, or sha512. This option provides a digital signature to validate the authenticity of the certificate.
  6. Click Update. The Confirm Web Access Configuration opens.
  7. Under Confirm Configuration, verify your changes.
    Listed changes will include the IP address of the Address Manager server, HTTPS or HTTPS status (enable/disable), and certificate type.
  8. Click Yes. The Address Manager server will be temporarily unavailable as the changes are committed and the server restarts.

Result:

  1. Log in to Address Manager once the configuration is compete.
    Note: After modifying HTTP or HTTPS, your browser might warn you about an unknown or invalid certificate. This warning will cease once you accept the certificate and log in to Address Manager.
  2. From the certificate warning, proceed to the site. Depending on your browser, this might entail clicking a button or creating an exception.