Setting up an SSL Certificate

About SSL Certificates

A private (self-signed) or public (commercial) SSL Certificate can be used. There is no difference regarding the level of encryption. In comparison to self-signed certificates, commercial certificates offer the advantage that the certificate authority verifies the identity of the owner and therefore confirms the authenticity of your certificate. Users accessing Cryptshare via a web browser can check the authenticity of the certificate if they wish to. When using a self-signed certificate users will be confronted with a security message which has to be accepted to confirm the trust relationship. As this usually confuses the users, the use of a commercial certificate is strongly recommended. The system is shipped with a self-signed certificate which is intended to be used only to secure the connection during first-time configuration. Please order and install a commercial certificate before using the system in a productive environment. Follow these links, if you already have a Wildcard certificate or want to extend your existing certificate.

Required Tools

Keystore Explorer

For preparation of the Keystore for the Cryptshare Server we recommend the free Windows-Tool 'Keystore Explorer'. This tool can be used to prepare the Keystore on your Windows PC. The Keystore can then be copied back to the Cryptshare Server. Keystore Explorer can be downloaded at the following URL: http://keystore-explorer.org/downloads.html The tool can be used for all management operations for a Java SSL certificate. This applies to certificates on Windows systems as well as on Linux systems

WinSCP (Linux, Virtual, - Hardware Appliance)

If you are using a Linux system, Hardware or Virtual Appliance we recommend the tool 'WinSCP' for copying the Keystore from your PC to the Cryptshare Server. https://winscp.net/eng/download.php#download2

PuTTY

The use of PuTTY allows you to connect to the Cryptshare Server using SSH and to work on the Linux console. PuTTY is only required for Linux-based systems (Hardware Appliance, Virtual Appliance or self-installed Linux systems). http://www.putty.org/

Creating a new Certificate via a Certificate Signing Request (CSR)

For creation of a public or a self-signed certificate a 'Certificate Signing Request' (CSR) has to be created first. In case of a public certificate the CSR must be sent to the certificate authority so they can create the certificate for you. For creation of the request please proceed as follows:

• Start Keystore Explorer on your PC
• Create a new Keystore

Select 'JKS' for the Keystore Type

• Generate a Key Pair
• Select the 'RSA' security algorithm.
• The key length depends on the specifications of your certificate provider. In general a key length of 2048 bit is required.

• Enter the required information as shown as an example in the screenshots.
• Additional optional parameters can be left out.
• The entries made should comply with the whois entry of the certificate creator.

Type in the password 'CA0AZhuFM4NogQh' This is a default password used for new Cryptshare installations Detailed instructions on how to change the password can be found in the section Web Server Configuration - SSLConfiguration

Save the new Keystore to your hard disk Use 'CA0AZhuFM4NogQh' as keystore password

• Right-Click on the certificate in the main window
• Select the option 'Generate CSR' to create a Certificate Signing Request for your Cryptshare Server.

Public SSL Certificate

A public certificate can be obtained with the CSR just created from a commercial certificate authority. Please provide the CSR to the respective certificate authority. This procedure varies depending on the authority.

Private Key of the SSL Certificate

By creation of the CSR the private certificate has already been created and saved to the keystore.

Installing the public key in the Cryptshare Server Keystore

When receiving the certificate from the certificate authority, you have to save it in the Cryptshare Server Keystore first. Please perform the following steps:

• Open the Keystore Explorer
• Open the Cryptshare Server Keystore

• Right-Click on the Cryptshare Server certificate
• Select the option 'Import CA Reply'

Enter the password 'CA0AZhuFM4NogQh' in the following dialog

Select the certificate you received from the public certificate provider.

Establish trust for the certificate by completing the certificate chain up to the root certificate.

• Right-Click on the Cryptshare Server certificate
• Select the option 'Edit Certificate Chain' --> 'Append Certificate'
• Confirm the following dialogs from the tool. These can vary depending on the certificate you're about to import.
• Save the Keystore
• Continue with Installing the Keystore on the Cryptshare Server.

Installing the Keystore on the Cryptshare Server

Hardware Appliance and Virtual Appliance and self installed Linux Systems

• Start WinSCP
• Open a new connection by clicking „New“.

• Use the settings as shown in the screenshot
  • Use the URL of your Cryptshare Server as Hostname
  • The password for the root user has been shipped to you with delivery of the Appliance
  • Click 'Login' to establish a connection to your appliance

• By default the home directory of the root user will be shown.
• browse to /opt/cryptshare-3/lib/security (on virtual or hardware appliance) or <Cryptshare-Installation Directory>/lib/security (on self installed system)
• Copy the keystore to your Cryptshare Server by e.g. drag & drop (overwrite existing).
• Restart Cryptshare by either clicking on 'Save changes' in System-Settings of the Administration Interface or by the cli command below.

rccryptshare restart

Datei:18945665.png

Windows-based systems (manual installation)

• Save the previously created Keystore to the subfolder 'lib/security' of your Cryptshare Installation.
• Restart Cryptshare by either clicking on "Save changes" in System-Settings of the Administration Interface or by restarting the following service 'CryptshareService'.