Secure Mobile Access 12.4 Administration Guide

Obtaining a Certificate from a Commercial CA

Obtaining a certificate from a commercial CA provides verification of your identity for people who connect to your network through the appliance. You must perform several steps to obtain and configure a certificate from a commercial CA, as shown in the below image.

Obtaining CA certificate

Step 1: Generate a Certificate Signing Request

Using AMC, you can generate a certificate signing request (CSR). This process creates an RSA key pair that is used to secure server information, and a CSR containing your public key and identity information. The information you provide is used by the commercial CA to generate your certificate, and may be visible to users who connect to the appliance.

To generate a CSR

  1. In the AMC, navigate to System Configuration > SSL Settings.

  2. In the SSL Certificates section, click Edit.

    The SSL Certificates page displays.

  3. Click the Certificate signing requests tab.

  4. In the Certificate Signing Requests area, click the + (New) icon.

    The Create Certificate Signing Request page displays.

  5. The Certificate information you fill out is stored in the CSR and used by the commercial CA when generating your certificate; it may be visible to users who connect to the appliance.

    Some commercial CAs may have problems reading CSRs that contain characters produced by pressing the SHIFT key, such as & or !. For example, when specifying your company name or other information, you may want to spell out & (if used) as and.

    1. In the Fully qualified domain name field, type the server name as you want it to appear in the certificate. Also known as a common name (or CN), this is usually composed of a host and a domain name; for example, you might type vpn.example.com.

      Users with a Web-based client will use this name to access the appliance (in other words, to access WorkPlace), so it’s best to use a name that is easily remembered. You’ll also reference this name when configuring the Connect or OnDemand components to provide access to TCP/IP resources. You must add this name to your external DNS to make the appliance accessible to users.

      Certificate Signing Requests can be created with multiple FQDN or IP addresses. On the SSL Settings > SSL Certificate > Create Certificate Signing Request page, simply enter multiple FQDNs and/or IP addresses separated by commas. Any number of SANs can be added to a certificate, but the text input field is 1,000 characters maximum. Wild cards are permitted. The entered FQDNs and IP addresses are encoded in the subject alternative name certificate extension and the certificate FQDN is encoded as an additional SAN entry in the CSR.

    2. In the Alternative name field, type any additional FQDNs or IP addresses that should appear in the certificate using the Subject Alternative Name certificate extension. Enter multiple entries each on a separate line.
    3. In the Organizational unit field, type your division or department (for example, MIS Dept).

    4. In the Organization field, type your company or organization name as you want it to appear in your SSL certificate.

    5. In the Locality field, type your city or town. Do not use an abbreviation.

    6. In the State field, type the name of your state or province. Do not use an abbreviation.

    7. In the Country field, type the two-letter abbreviation for your country. For a list of valid country codes, see the International Organization for Standardization (ISO) Web site at http://www.iso.org and search for ISO 3166-1.

    8. In the Key length drop-down menu, select the key length you want to use for the key: 2048 (the default), 3072, or 4096. Larger keys increase security.

  6. Select the key type from the Key type drop-down menu.

    The default is RSA.

  7. In the Signature drop-down menu, select the algorithm used for the certificate.

  8. Review the information to verify that you’ve typed it correctly.

  9. Click Save to generate the CSR.

    The Certificate Signing Request page redisplays with the CSR information you entered.

  10. Copy the contents of the CSR text from AMC to the clipboard or into a text file.

  11. Click OK.

Step 2: Submit the CSR to a Commercial CA

The process of submitting a CSR varies, depending on which commercial CA you choose.

To submit a CSR to a commercial CA

  1. Copy the contents of your certificate signing request from the Create Certificate Signing Request page in AMC.

  2. Submit it to the CA using the method they request (usually you either copy and paste the CSR text into a form on the CA’s Web site, or attach it to an email message).

    Depending on what is specified by the CA, you may need to paste all the text, or only the text between the BEGIN NEW CERTIFICATE REQUEST and END NEW CERTIFICATE REQUEST banners (including the banners themselves). If you’re not sure, contact the CA.

  3. Wait for the commercial CA to verify your identity. You may be asked to produce one or more documents attesting to your corporate identity (such as a business license or article of incorporation).

    Submit your CSR only once; you may otherwise be billed twice by the CA. This would also change the internal private key, making the response from the CA unusable.

Step 3: Review CSR Response and Add CA’s Root Certificate

After you’ve submitted your CSR, you must wait for the CA to verify your identity. After they complete this process, the CA will send you the certificate reply. It is usually in one of two formats:

  • A file attached to an email message. In this case, you can save the file to your local file system (the one from which you’ll access AMC) and then import it into AMC.

  • Text embedded within an email message. In this case, you copy the text and paste it into a text box provided in AMC. Be sure to include the BEGIN CERTIFICATE and END CERTIFICATE banners.

If the CA does not provide a full certificate chain in the CSR response (a common practice), AMC will try to complete the certificate chain when you import the CSR response. If it is unable to complete the chain, AMC displays an error message. If this occurs, you must upload the CA’s root certificate or any intermediary public certificates to the appliance. If you are acting as your own CA, you will probably need to perform this step.

To complete a certificate chain

  1. Obtain the trusted root certificate or intermediary public certificate from the CA. Most external commercial CAs provide the certificates on their Web site; if the CA is run by your company, check with the server administrator.

  2. In the AMC, navigate to System Configuration > SSL Settings.

  3. In the SSL Certificates area, click Edit.

  4. In the Certificate signing requests list, click the Process CSR response link for the appropriate certificate.

    The Import CSR Certificate page displays.

  5. Upload the certificate:

    The format of the CA certificate required is “Apache Server”.

    • If the certificate is in binary format:

      1. Select Certificate file.

      2. Click Browse and then upload the certificate reply from your local file system (the computer from which you’ve logged in to AMC).

    • If the certificate is in base-64 encoded (PEM) text format:

      1. Select Certificate text.

      2. Paste the certificate into the field.

        Be sure to include the BEGIN CERTIFICATE and END CERTIFICATEbanners.

  6. Click Save.

  7. To verify that the certificate was properly uploaded:

    1. Navigate to System Configuration > SSL Settings > CA Certificates.

    2. Click Edit next to <NNN> certificates.

    3. The new certificate should appear in the list on the CA Certificates page.

Step 4: Import the CSR Response Into AMC

To create a certificate, import the CSR response into AMC.

To import a certificate reply

  1. In the AMC, navigate to System Configuration > SSL Settings.

  2. In the SSL certificates area, click Edit.

  3. In the Certificate signing requests list, click the Process CSR response link for the appropriate certificate.

  4. Upload the certificate:

    • If the certificate is in binary format:

      1. Select Certificate file.

      2. Click Browse and then upload the certificate reply from your local file system (the computer from which you’ve logged in to AMC).

    • If the certificate is in base-64 encoded (PEM) text format:

      1. Select Certificate text.

      2. Paste the certificate into the field.

        Be sure to include the BEGIN CERTIFICATE and END CERTIFICATEbanners.

  5. In the Used by drop-down menu, select AMC or WorkPlace/access methods (or select None if you want to build a list of certificates from which to choose later). If you defined additional WorkPlace sites (in addition to the default WorkPlace site), their names are included in this list.

  6. Click Save.

  7. To verify that the certificate was properly uploaded, click the plus sign (+) next to it on the SSL Certificates page.

Step 5: Apply Your Changes

To start using a new certificate, you need to apply your configuration changes. For more information, see Applying Configuration Changes.

After applying the change, the appliance examines the new certificate and begins using it for all new connections. If the appliance fails to correctly process the certificate, you see a failure message and the event log records information about the failure. Typically, this occurs if there is no certificate, the certificate has expired (or is not yet valid), or the cached password in the encrypted password file is incorrect.

If your users authenticate using digital certificates, you must configure a trusted root file on the server as well as on the clients. See Configuring Client Certificate Revocation.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.