Skip to main content
Skip table of contents

Transport Layer Security (TLS) Configuration

The following describes how to mange Transport Layer Security (TLS) certificates.

It may be necessary to renew the TLS certificate in order to comply with your company's security regulations. For example, to remove the security warning in the address bar of the browser.

Managing TLS certificates includes the following steps:

Create and Download a New Certificate Signing Request (CSR)

Your first step for renewing a TLS certificate is to create a new Certificate Signing Request (CSR).

  1. Log in to the Next Generation Hardware Appliance.

  2. Open the Security page.

  3. Go to the In TLS Certificates section, click Create New CSR to open the corresponding form.

Create New CSR

Key Algorithm

Select the cryptographic key algorithm to be used for the CSR from the drop down menu:
EC prime256v1 (default)

  • RSA 4096

  • RSA 3072

  • RSA 2048

Domains

Add the domain. You can enter any IPv4 or IPv6 address. The field also supports any domain name as well as wildcard domains and punycode.

Optional Fields

Common Name (CN)

Enter the Common Name (CN) to be included in the CSR.

State/Province (ST)
Country (C)

Enter the State/Province (ST) to be included in the CSR,
or select the Country (C) from the drop down menu:.

Locality (L)

Enter the Locality (L) to be included in the CSR.

Organization (O)

Enter the Organization (O) to be included in the CSR.

Click Create CSR to confirm your entries and create the CSR.

In the TLS Certificates list a new entry for the certificate is displayed.

In the column Status awaiting issuance will be shown

In the column Actions, click Download CSR to download and save the new CSR.

Have the new Certificate Signing Request signed to continue with creating a new certificate..

Create and Download the TLS Certificate

You can use your Certificate Authority (CA) in EJBCA to create a new certificate and download it.

The following describes the basic steps for making a certificate request and issue a certificate using the EJBCA RA user interface.

Note that the options available depend on your role, and when there is only one choice available and thus no selection to be made, the option is not displayed on the page. To view these predefined options, click Show details in the bottom-right of each section. For more information, refer to the EJBCA Documentation on Creating Certificates on the RA.

To create and download the TLS certificate in EJBCA, do the following:

  1. Click Overview in the Hardware Appliance.

  2. In the Application Overview, select Admin Web to go to EJBCA.

  3. In EJBCA, select the RA Web menu option.

  4. In the EJBCA RA UI, click Make New Request.

  5. In the Select Request Template Certificate subtype field, select Server.

  6. Select the Key-pair generation option Provided by user to use the CSR to issue a new certificate using your trusted CA.

  7. Click Browse under Upload CSR and select the PEM file downloaded in step Create and Download a New CSR.

  8. Scroll down to Provide User Credentials and specify a Username.

  9. Click Download PEM full chain to issue the certificate and click Save to store the file.

You can create a new certificate using the Certificate Authority (CA) of your organization's choice. The following example describes the basic steps for making a certificate request and issue a certificate using the EJBCA CA. For more information, see EJBCA Documentation.

To create and download the TLS certificate in EJBCA, do the following:

  1. In EJBCA, select the RA Web menu option.

  2. In the EJBCA RA UI, click Make New Request.

  3. In the Select Request Template Certificate subtype field, select Server.

  4. Select the Key-pair generation option Provided by user to use the CSR to issue a new certificate using your trusted CA.

  5. Click Browse under Upload CSR and select the PEM file downloaded in step Create and Download a New CSR.

  6. Scroll down to Provide User Credentials and specify a Username.

  7. Click Download PEM full chain to issue the certificate and click Save to store the file.

For more information, refer to the EJBCA Documentation on Creating Certificates on the RA.

Certificate Rules

The Next Generation Hardware Appliance will check the new certificate against the following rules:

  • All domains in the certificate must match the ones in the generated CSR.

  • The public key of the certificate must match with the public key of the CSR.

  • The certificate chain of the certificate must be correct.

  • The certificate must have the digitalSignature flag set for KeyUsage.

  • The Extended Key Usage of the certificate must include server authentication.

Upload and Activate the TLS Certificate

The following describes how to activate the new certificate in the user interface of the Hardware Appliance:

  1. Log in to the Next Generation Hardware Appliance.

  2. Open the Security page.

  3. In the section TLS CERTIFICATES, click Upload Certificate for the certificate that is waiting for issuance.

  4. Select and upload the newly created TLS certificate.

  5. The option Activate Certificate appears. Click to activate the new certificate.
    The former certificate becomes inactive.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close