CSSCurrent en:Setting up an SSL Certificate
About SSL Certificates
A private (self-signed) or public (commercial) SSL Certificate can be used. There is no difference regarding the level of encryption. In comparison to self-signed certificates, commercial certificates offer the advantage that the certificate authority verifies the identity of the owner and therefore confirms the authenticity of your certificate. Users accessing Cryptshare via a web browser can check the authenticity of the certificate if they wish to. When using a self-signed certificate users will be confronted with a security message which has to be accepted to confirm the trust relationship. As this usually confuses the users, the use of a commercial certificate is strongly recommended. The system is shipped with a self-signed certificate which is intended to be used only to secure the connection during first-time configuration. Please order and install a commercial certificate before using the system in a productive environment. Follow these links, if you already have a Wildcard certificate or want to extend your existing certificate.
Required Tools
Keystore Explorer
For preparation of the Keystore for the Cryptshare Server we recommend the free Windows-Tool 'Keystore Explorer'. This tool can be used to prepare the Keystore on your Windows PC. The Keystore can then be copied back to the Cryptshare Server. Keystore Explorer can be downloaded at the following URL: http://keystore-explorer.org/downloads.html The tool can be used for all management operations for a Java SSL certificate. This applies to certificates on Windows systems as well as on Linux systems
WinSCP (Linux, Virtual, - Hardware Appliance)
If you are using a Linux system, Hardware or Virtual Appliance we recommend the tool 'WinSCP' for copying the Keystore from your PC to the Cryptshare Server. https://winscp.net/eng/download.php#download2
PuTTY
The use of PuTTY allows you to connect to the Cryptshare Server using SSH and to work on the Linux console. PuTTY is only required for Linux-based systems (Hardware Appliance, Virtual Appliance or self-installed Linux systems). http://www.putty.org/
Creating a new Certificate via a Certificate Signing Request (CSR)
For creation of a public or a self-signed certificate a 'Certificate Signing Request' (CSR) has to be created first. In case of a public certificate the CSR must be sent to the certificate authority so they can create the certificate for you. For creation of the request please proceed as follows:
- Start Keystore Explorer on your PC
- Create a new Keystore
Select 'JKS' for the Keystore Type
- Generate a Key Pair
- Select the 'RSA' security algorithm.
- The key length depends on the specifications of your certificate provider. In general a key length of 2048 bit is required.
- Enter the required information as shown as an example in the screenshots.
- Additional optional parameters can be left out.
- The entries made should comply with the whois entry of the certificate creator.
com.befinesolutions.cryptshare.server
When using a different alias the certificate won't be recognized by Cryptshare and the Cryptshare server startup will fail.Type in the password 'CA0AZhuFM4NogQh' This is a default password used for new Cryptshare installations Detailed instructions on how to change the password can be found in the section Web Server Configuration - SSLConfiguration
Save the new Keystore to your hard disk Use 'CA0AZhuFM4NogQh' as keystore password
- Right-Click on the certificate in the main window
- Select the option 'Generate CSR' to create a Certificate Signing Request for your Cryptshare Server.
Public SSL Certificate
A public certificate can be obtained with the CSR just created from a commercial certificate authority. Please provide the CSR to the respective certificate authority. This procedure varies depending on the authority.
Private Key of the SSL Certificate
By creation of the CSR the private certificate has already been created and saved to the keystore.
When receiving the certificate from the certificate authority, you have to save it in the Cryptshare Server Keystore first. Please perform the following steps:
- Open the Keystore Explorer
- Open the Cryptshare Server Keystore
- Right-Click on the Cryptshare Server certificate
- Select the option 'Import CA Reply'
Enter the password 'CA0AZhuFM4NogQh' in the following dialog
Detailed instructions on how to change the password can be found in the section
Web Server Configuration - SSLConfigurationSelect the certificate you received from the public certificate provider.
Establish trust for the certificate by completing the certificate chain up to the root certificate.
Therefore please make sure, all intermediate certificates as well as the root certificate are put into the chain in the right order.
The chain has to be build from bottom (Client Cert) via intermediate(s) to top (Root Certificate of the CA)- Right-Click on the Cryptshare Server certificate
- Select the option 'Edit Certificate Chain' --> 'Append Certificate'
- Confirm the following dialogs from the tool. These can vary depending on the certificate you're about to import.
- Save the Keystore
- Continue with Installing the Keystore on the Cryptshare Server.
Hardware Appliance and Virtual Appliance and self installed Linux Systems
- Start WinSCP
- Open a new connection by clicking „New“.
- Use the settings as shown in the screenshot
- Use the URL of your Cryptshare Server as Hostname
- The password for the root user has been shipped to you with delivery of the Appliance
- Click 'Login' to establish a connection to your appliance
- By default the home directory of the root user will be shown.
- browse to /opt/cryptshare-3/lib/security (on virtual or hardware appliance) or <Cryptshare-Installation Directory>/lib/security (on self installed system)
- Copy the keystore to your Cryptshare Server by e.g. drag & drop (overwrite existing).
- Restart Cryptshare by either clicking on 'Save changes' in System-Settings of the Administration Interface or by the cli command below.
rccryptshare restart
Windows-based systems (manual installation)
- Save the previously created Keystore to the subfolder 'lib/security' of your Cryptshare Installation.
- Restart Cryptshare by either clicking on "Save changes" in System-Settings of the Administration Interface or by restarting the following service 'CryptshareService'.