Configuring HTTPS with an existing custom certificate - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.4.0

Upload a server certificate, private key, and CA certificate bundle to configure HTTPS on Address Manager.

Note: This method is recommended for customers who have configured HTTPS on previous versions of Address Manager and want to migrate the certificate used on the prior system to the new one.

To configure HTTPS with a custom uploaded certificate:

  1. Select the Administration tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Administration page.
  2. Under User Management, click Secure Access.
  3. Under General, complete the following:
    • Select Server—by default, this is the IP address of a standalone Address Manager server. If running Address Manager in replication, use the drop-down menu to select the IP address of Primary or Standby Address Manager servers.
    • HTTP—from the drop-down menu, select either Enable, Disable, or Redirect to HTTPS.
      Note: Redirect to HTTPS
      Selecting Redirect to HTTPS will redirect users to HTTPS if they attempt to access Address Manager using HTTP. You must have HTTPS enabled to use Redirect to HTTPS.
      • If the Address Manager domain name is configured to resolve to an IPv6 address, enabling Redirect to HTTPS will redirect the domain name in the URL to an IPv6 address, resulting in an unknown certificate warning in your browser. For more information, refer to knowledge base article 5978 on BlueCat Customer Care.
    • HTTPS—from the drop-down menu, select Enable.
      Important: Disabling HTTPS

      You can't disable HTTPS if HTTP is configured to redirect to HTTPS.

  4. Under Server Certificate Settings, select Custom.
  5. Select Load Custom Certificate.
  6. Under Upload Certificate, complete the following:
    • Use Previously Configured Private Key—(optional) select to use the previously configured private key stored in the Address Manager database.
      Note:
      • This check box isn't clickable when loading a private key into Address Manager for the first time. After loading the server certificate and CA bundle file and updating Address Manager, this check box will be selected by default (Address Manager stores one copy of the key in its database).
      • Deselect this check box only if you want to upload a new private key. Address Manager will warn you that uploading a new private key will overwrite the key already stored in the Address Manager database.
    • Private Key—(optional) click Choose File to select the private key file (<common_name>.key) associated with the server certificate on your local machine or workstation.
      Attention:
      • The private key must comply with PKCS #8 standards.
      • The private key must be in PEM format and must only contain one key. It can't contain multiple keys or certificates. You can validate the key using openssl and the following command (if there's no password, omit the --passin pass:<password> parameter):
        openssl rsa -noout -modulus -in <private key file> --passin pass:<password>

        If the beginning of the output contains Modulus=, the key is valid.

    • Use Password—(optional) select the check box to provide security for the private key. Once selected, the Password field opens.
      • Password—enter an alphanumeric password to secure your private key.
    • Domain Signed Certificate—click Choose File to select the signed server certificate (<common_name>.crt) on your local machine or workstation.
      Attention: The certificate must be in PEM format and must only contain one certificate. It can't contain multiple certificates or keys. You can validate the certificate using openssl and the following command:
      openssl x509 -noout -modulus -in <certificate file>

      If the beginning of the output contains Modulus=, the key is valid.

    • Intermediate Bundle Certificate—click Choose File to select the associated CA certificate bundle (<common_name>.ca-bundle) on your local machine or workstation. The CA certificate bundle must include the root and any intermediary CA certificates required to authenticate the CA signature of the server certificate.
      Attention: The bundle must be in PEM format, and must only contain one root certificate and the chain of intermediate certificates that match the domain certificate. You can validate the bundle using openssl and the following command:
      openssl x509 -noout -modulus -in <bundle file>

      If the beginning of the output contains Modulus=, the key is valid.

  7. Click Update. The Confirm Web Access Configuration opens.
  8. Under Confirm Configuration, verify your changes.
    Listed changes will include the IP address of the Address Manager server, HTTPS or HTTPS status (enable/disable), and certificate type.
  9. Click Yes. The Address Manager server will be temporarily unavailable as the changes are committed and the server restarts.

Result:

  1. Log in to Address Manager once the configuration is compete.
    Note: After modifying HTTP or HTTPS, your browser might warn you about an unknown or invalid certificate. This warning will cease once you accept the certificate and log in to Address Manager.
  2. From the certificate warning, proceed to the site. Depending on your browser, this might entail clicking a button or creating an exception.