Upload the signed server certificate provided by the Certificate Authority and associated files.
To upload the signed server certificate and associated files:
- Select the Administration tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Administration page.
- Under User Management, click Secure Access.
Under General, complete the following:
- Select Server—by default, this is the IP address of a standalone Address Manager server. If running Address Manager in replication, use the drop-down menu to select the IP address of Primary or Standby Address Manager servers.
- HTTP—from the drop-down menu, select either
or Redirect to HTTPS.Note: Redirect to HTTPSSelecting Redirect to HTTPS will redirect users to HTTPS if they attempt to access Address Manager using HTTP. You must have HTTPS enabled to use Redirect to HTTPS.
- If the Address Manager domain name is configured to resolve to an IPv6 address, enabling Redirect to HTTPS will redirect the domain name in the URL to an IPv6 address, resulting in an unknown certificate warning in your browser. For more information, refer to knowledge base article 5978 on BlueCat Customer Care.
- HTTPS—from the drop-down menu, select
Enable.Important: Disabling HTTPS
You can't disable HTTPS if HTTP is configured to redirect to HTTPS.
- Under Server Certificate Settings, select Custom.
- Select Load Custom Certificate.
Under Upload Certificate, complete the following:
- Use Previously Configured Private
Key—(optional) select to use the previously
configured private key stored in the Address Manager
- This check box isn't clickable when loading a private key into Address Manager for the first time. After loading the server certificate and CA bundle file and updating Address Manager, this check box will be selected by default (Address Manager stores one copy of the key in its database).
- Deselect this check box only if you want to upload a new private key. Address Manager will warn you that uploading a new private key will overwrite the key already stored in the Address Manager database.
- Private Key—(optional) click
Choose File to select the private key file
(<common_name>.key) associated with the server certificate
on your local machine or workstation.Attention: The private key must comply with PKCS #8 standards.
- Use Password—(optional) select the check
box to provide security for the private key. Once selected, the
Password field opens.
- Password—enter an alphanumeric password to secure your private key.
- Domain Signed Certificate—click Choose File to select the signed server certificate (<common_name>.crt) on your local machine or workstation.
- Intermediate Bundle Certificate—click
Choose File to select the associated CA
certificate bundle (<common_name>.ca-bundle) on your local
machine or workstation. The CA certificate bundle must include the root
and any intermediary CA certificates required to authenticate the CA
signature of the server certificate.Attention: The bundle must be in PEM format, and must only contain one root certificate and the chain of intermediate certificates that match the domain certificate. You can validate the bundle using openssl and the following command:
openssl x509 -noout -modulus -in <bundle file>
If the beginning of the output contains
Modulus=, the key is valid.
- Use Previously Configured Private Key—(optional) select to use the previously configured private key stored in the Address Manager database.
- Click Update. The Confirm Web Access Configuration opens.
Under Confirm Configuration, verify your
Listed changes will include the IP address of the Address Manager server, HTTPS or HTTPS status (enable/disable), and certificate type.
- Click Yes. The Address Manager server will be temporarily unavailable as the changes are committed and the server restarts.
- Log in to Address Manager once the configuration is compete.Note: After modifying HTTP or HTTPS, your browser might warn you about an unknown or invalid certificate. This warning will cease once you accept the certificate and log in to Address Manager.
- From the certificate warning, proceed to the site. Depending on your browser, this might entail clicking a button or creating an exception.