Configuring HTTPS with an existing custom certificate - BlueCat Address Manager - 9.1.0

Address Manager Administration Guide

Locale
English (United States)
Product name
BlueCat Address Manager
Version
9.1.0

Upload a pre-configured or existing Certificate Authority (CA) certificate, CA Certificate Bundle, and optional private key.

Note: This method is recommend for customers who have configured HTTPS on previous versions of Address Manager.

To configure HTTPS with a custom uploaded certificate:

  1. Select the Administration tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Administration page.
  2. Under User Management, click Secure Access.
  3. Under General, complete the following:
    • Select Server—by default, this is the IP address of a standalone Address Manager server. If running Address Manager in replication, use the drop-down menu to select the IP address of Primary or Standby Address Manager servers.
    • HTTP—from the drop-down menu, select either Enable, Disable, or Redirect to HTTPS.
      Note: Redirect to HTTPS
      Selecting Redirect to HTTPS will redirect users to HTTPS if they attempt to access Address Manager using HTTP. You must have HTTPS enabled to use Redirect to HTTPS.
      • If the Address Manager domain name is configured to resolve to an IPv6 address, enabling Redirect to HTTPS will redirect the domain name in the URL to an IPv6 address, resulting in an unknown certificate warning in your browser. For more information, refer to knowledge base article 5978 on BlueCat Customer Care.
    • HTTPS—from the drop-down menu, select Enable.
      Important: Disabling HTTPS

      You cannot disable HTTPS if HTTP is configured to redirect to HTTPS.

  4. Under Server Certificate Settings, select Custom.
  5. Select Load Custom Certificate.
  6. Under Upload Certificate, complete the following:
    • Use Previously Configured Private Key—(optional) select to use the previously configured private key stored in the Address Manager database.
      Note:
      • This check box is not clickable when loading a private CA key into Address Manager for the first time. After loading the CA certificate and bundle file and updating Address Manager, this check box will be selected by default (Address Manager stores one copy of the key in its database).
      • Deselect this check box only if you want to upload a new private CA key. Address Manager will warn you that uploading a new private key will overwrite the key already stored in the Address Manager database.
    • Private Key—(optional) click Choose File to select a private key file (<common_name>.key) on your local machine or workstation.
      Attention:
      • The private key must comply with PKCS #8 standards.
      • The private key must be in PEM format and must only contain one key. It cannot contain multiple keys or certificates. You can validate the key using openssl and the following command (if there is no password, omit the --passin pass:<password> parameter):
        openssl rsa -noout -modulus -in <private key file> --passin pass:<password>

        If the beginning of the output contains Modulus=, the key is valid.

    • Use Password—(optional) select the check box to provide security for the private key. Once selected, the Password field opens.
      • Password—enter an alphanumeric password to secure your private key.
    • Domain Signed Certificate—click Choose File to select a CA certificate (<common_name>.crt) on your local machine or workstation.
      Attention: The certificate must be in PEM format and must only contain one certificate. It cannot contain multiple certificates or keys. You can validate the certificate using openssl and the following command:
      openssl x509 -noout -modulus -in <certificate file>

      If the beginning of the output contains Modulus=, the key is valid.

    • Intermediate Bundle Certificate—click Choose File to select a CA certificate bundle (<common_name>.ca-bundle) on your local machine or workstation.
      Attention: The bundle must be in PEM format, and must only contain one root certificate and the chain of intermediate certificates that match the domain certificate. You can validate the bundle using openssl and the following command:
      openssl x509 -noout -modulus -in <bundle file>

      If the beginning of the output contains Modulus=, the key is valid.

  7. Click Update. The Confirm Web Access Configuration opens.
  8. Under Confirm Configuration, verify your changes.
    Listed changes will include the IP address of the Address Manager server, HTTPS or HTTPS status (enable/disable), and certificate type.
  9. Click Yes. The Address Manager server will be temporarily unavailable as the changes are committed and the server restarts.

Result:

  1. Log in to Address Manager once the configuration is compete.
    Note: After modifying HTTP or HTTPS, your browser might warn you about an unknown or invalid certificate. This warning will cease once you accept the certificate and log in to Address Manager.
  2. From the certificate warning, proceed to the site. Depending on your browser, this might entail clicking a button or creating an exception.