Loading the signed server certificate into Address Manager - BlueCat Integrity - 26.1.0

Address Manager Administration Guide
ft:locale
en-US
Product name
BlueCat Integrity
Version
26.1.0

Upload the signed server certificate provided by the Certificate Authority and associated files.

To upload the signed server certificate and associated files:

  1. Select the Settings tab in the sidebar.
  2. Under System security, select Web access.
  3. Set the following parameters:
    Note: When replication is configured between Address Manager servers, web access settings for primary and standby servers are represented on separate tabs.
    • HTTP enabled—select the checkbox to enable HTTP. Deselect the checkbox to disable HTTP.
    • HTTPS enabled—select the checkbox to enable HTTPS.
    • HTTP to HTTPS redirection enabled—select the checkbox to enable HTTP to HTTPS redirection. The HTTP enabled checkbox must be selected to select this option.
      Important: You can't disable HTTPS if HTTP is configured to redirect to HTTPS.
      Note: HTTP to HTTPS redirection
      Selecting HTTP to HTTPS redirection enabled will redirect users to HTTPS if they attempt to access Address Manager using HTTP. You must have HTTP and HTTPS enabled to use HTTP to HTTPS redirection.
      • If the Address Manager domain name is configured to resolve to an IPv6 address, HTTP to HTTPS redirection enabled will redirect the domain name in the URL to an IPv6 address, resulting in an unknown certificate warning in your browser. For more information, refer to knowledge base article 5978 on BlueCat Customer Care.
    • X509 authenticator—select an X.509 authenticator previously added to Address Manager. For more information, refer to X.509 authentication.
  4. Under Server certificate settings, complete the following:
    • Certificate method—select Load custom certificate.
    • Use previously configured private key—select to use the previously configured private key stored in the Address Manager database.
      Note: Deselect this check box only if you want to upload a new private key. Address Manager will warn you that uploading a new private key will overwrite the key already stored in the Address Manager database.
    • If Use previously configured private key is not selected, the following fields appear:
      • Upload private key—use the upload box to select or drag and drop the private key file (<common_name>.key) associated with the server certificate on your local machine or workstation.
        Attention:
        • The private key must comply with PKCS #8 standards.
        • The private key must be an RSA private key. The following cipher suites are supported for Address Manager HTTPS configurations (TLS 1.2):
          • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
          • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
          • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        • The private key must be in PEM format and must only contain one key. It can't contain multiple keys or certificates. You can validate the key using openssl and the following command (if there's no password, omit the --passin pass:<password> parameter):
          openssl rsa -noout -modulus -in <private key file> --passin pass:<password>

          If the beginning of the output contains Modulus=, the key is valid.

      • Password—enter an alphanumeric password to secure your private key.
    • Upload domain signed certificate—use the upload box to select or drag and drop the signed server certificate (<common_name>.crt) on your local machine or workstation.
      Attention: The certificate must be in PEM format and must only contain one certificate. It can't contain multiple certificates or keys. You can validate the certificate using openssl and the following command:
      openssl x509 -noout -modulus -in <certificate file>

      If the beginning of the output contains Modulus=, the key is valid.

    • Upload intermediate bundle certificate—use the upload box to select or drag and drop the associated CA certificate bundle (<common_name>.ca-bundle) on your local machine or workstation. The CA certificate bundle must include the root and any intermediary CA certificates required to authenticate the CA signature of the server certificate.
      Attention: The bundle must be in PEM format, and must only contain one root certificate and the chain of intermediate certificates that match the domain certificate. You can validate the bundle using openssl and the following command:
      openssl x509 -noout -modulus -in <bundle file>

      If the beginning of the output contains Modulus=, the key is valid.

  5. Enter a Change control comment, if required.
  6. Select Update web access settings.
  7. In the Warning window, select Update and restart BAM. The Address Manager server will be temporarily unavailable as the changes are committed and the server restarts.

Result:

  1. Login to Address Manager once the configuration is compete.
    Note: After modifying HTTP or HTTPS, your browser might warn you about an unknown or invalid certificate. This warning will cease once you accept the certificate and log in to Address Manager.
  2. From the certificate warning, proceed to the site. Depending on your browser, this might entail clicking a button or creating an exception.