Setting the Address Manager and Gateway server certificate - Adaptive Applications - BlueCat Gateway - 23.1.1

Using custom certificates

Gateway also supports custom certificates for communications with Address Manager. You can use a certificate you already have from a certificate authority, or a certificate that you created yourself. When creating your own certificate, you'll generate a new randomized private .key file, create a .csr file from it (a Certificate Signing Request), then use the CSR to create the public certificate file (.crt).

To create the .key and .csr files, you can either use BlueCat Address Manager, or create it manually with your SSL toolkit.

To create the .key and .csr files in Address Manager:

1. Within Address Manager, in the Administration tab, under User Management, click Secure Access.

2. Under Server Certificate Settings, select Custom, then select Generate Certificate Signing Request.

   1. Fill in the Common Name, Organization, Department, City, State/Province, Country code, Email address (optional), and Comment (optional) as desired.
   2. Click to select the Generate Private Key checkbox.
   3. In Key Size, select the desired size of the encryption key. We strongly recommend you choose a Key size of at least 2048 bits.
   4. When you're done, click Generate.
3. With the certificate generated, click Download CSR and Download Private Key to download the newly-generated .csr and .key files, respectively.

To create the .key and .csr files manually:

1. Generate the private key (the .key file). To do so, run the following OpenSSL command:

   openssl genrsa -des3 -out <private_key_name>.key <key_size>

   Where <private_key_name> is a file name for your private key, and the <key_size> is the size (in bits). We recommend a size of at least 2048.

   You'll be asked for a pass phrase. You can leave the pass phrase blank if you prefer.

   When you're done, you'll have a .key file.

2. Generate the .csr file with the following OpenSSL command:

   openssl req -new -key <private_key_name>.key -out <csr_name>.csr

   Where <private_key_name> is the name of your private key file, and <csr_name> is the desired name for your CSR file. (Since the files have different file name extensions, these names they can be the same.)

3. Fill in the fields as requested, one by one. The Email Address, Challenge password, and Company name are optional.

4. When you're done, OpenSSL will generate the .csr file.

To set up the public key file (.crt) and add the certificates to Address Manager:

1. Generate the .crt file with the following OpenSSL command:

   openssl x509 -req -days 365 -in <csr_name>.csr -signkey <private_key_name>.key

   Where <csr_name> is the name of your CSR file and <private_key_name> is the desired name for your private key file. (Since the files have different file name extensions, these names they can be the same.)

   OpenSSL will generate the .crt file.

2. Add the new certificate files to Address Manager:

   1. Within Address Manager, in the Administration tab, under User Management, click Secure Access.

   2. If you haven't already done so, enable HTTPS (under General, in HTTPS, select Enable).

   3. Under Server Certificate Settings, select Custom.
   4. Select Load Custom Certificate.
   5. In the Upload Certificate section, upload the certificate files:
      • Under Private Key, click Choose File and browse to your private key file (.key).
      • Under Domain Signed Certificate, click Choose File and browse to your public certificate file (.crt).

3. Upload the extracted certificates to BlueCat Gateway as follows:

   1. In Gateway, in the navigator area to the left, expand Administration and Configurations, then click General Configuration.
   2. In the BAM section, click to select the Validate SSL Certificate checkbox.
   3. In SSL Certificate, click Choose file and browse to the .crt file that you extracted.
   4. When you're done, click Save.