Setting up custom SSL certificates for HTTPS connections - Platform - BlueCat Gateway - 22.11.1

Gateway Administration Guide
Locale
English
Product name
BlueCat Gateway
Version
22.11.1

Gateway requires TLS/SSL certificates to communicate over HTTPS networks. If no TLS/SSL certificates exist in a workspace when Gateway starts, it will automatically generate and use a new set of unique, self-signed certificates.

Since these certificates are self-signed, they're not validated by any certificate authority. If you prefer, you can instead have Gateway use your own custom TLS/SSL certificates, such as certificates signed by an appropriate authority. Custom certificates must use strong Advanced Encryption Standard protocols, such as Elliptic Curve Diffie-Hellman (ECDH) with 128 bits of keyspace. You can use custom certificates with both custom and built-in workspaces.

Warning: As of v22.4.1, Gateway now restricts TLS/SSL security certificates to those using strong protocols and encryption ciphers. Certificates that use static key ciphers, cipher block chaining (CBC), or other weak protocols that are vulnerable to known decryption attacks will be rejected.

After upgrading to BlueCat Gateway v22.4.1 or later, you must replace any TLS/SSL certificates that use weak encryption protocols. We recommend that all certificates employed on your system use strong Advanced Encryption Standard protocols, not just those used by Gateway.

Tip: Versions of BlueCat Gateway prior to v21.5.1 required you to edit the configuration file (.conf) for the HTTPS Apache host to set TLS/SSL certificates. This direct change in host configuration is no longer needed. If this is your current setup, see Updating certificates and custom Apache configurations on legacy systems for details on updating your system.

To upload certificates using the Gateway UI:

  1. Log in to BlueCat Gateway.

  2. From the navigator on the left, expand Configurations, click General Configuration, then click Certificates.

  3. Under Gateway, in the SSL Certificate field, click Browse and add the custom SSL certificate file (*.crt file) that you want Gateway to use.
    Note: We recommend that all certificates across your entire system use strong Advanced Encryption Standard protocols, such as Elliptic Curve Diffie-Hellman (ECDH) with 128 bits of keyspace.

  4. In the SSL Certificate Key field, click Browse and add the corresponding key file (*.key) for that SSL certificate.

To install certificate files manually:

  1. Install the files in the following locations, relative to the workspace root:

    • Store the certificate's crt file as certificates/server/gateway.crt, in PEM (Privacy-Enhanced Mail) format. This may include intermediate CA certificates. Create the certificates/server directory if it doesn't already exist.

      For example, if your workspace root is /root/gwdata/customizations, store the certificate's crt file as /root/gwdata/customizations/certificates/server/gateway.crt.

    • Store the certificate's key file for the certificate as certificates/server/gateway.key.

  2. After copying certificate files to the workspace, restart the container.