CSSCurrent en:Setting up an SSL Certificate

Aus Cryptshare Documentation
Wechseln zu:Navigation, Suche

About SSL Certificates

Both private (self-created) or public (usually commercial) SSL certificates can be used. These offer the same level of security in terms of encryption. Compared to self-created SSL certificates, however, public SSL certificates offer the advantage that the issuer of the certificate, i.e. the certification authority or certificate provider, checks the ownership of your domain and confirms this in the certificate. Since a user's browser usually already trusts the public certification authority, the confirmed certificate of your domain (as long as it is valid) is also considered trustworthy.

When using a private certificate, on the other hand, browsers usually display a warning asking for verification and confirmation of the trust relationship. Since this usually deters users, obtaining and using a public certificate is strongly recommended.

The system is delivered with a private certificate. However, this is only intended to secure the connection for the initial configuration of the system. Please obtain and install a public certificate before using the system productively.

Follow these links if you already own a wildcard certificate or if you want to renew your existing certificate.

Required Tools

KeyStore Explorer

For the preparation of the certificate store ("Keystores") of your Cryptshare Server, we recommend the free Windows tool "KeyStore Explorer". With this tool, you can prepare the keystore file on your workstation to copy it to the Cryptshare server later. You can download KeyStore Explorer at http://keystore-explorer.org/downloads.html.

The tool can be used for all management tasks regarding the SSL certificates of Cryptshare Server, regardless of whether it is running on Windows or Linux.

WinSCP (only Linux-based Systems)

If you are using a Hardware Appliance, Virtual Appliance or another Linux-based Cryptshare Server, we recommend the Windows tool "WinSCP" to copy the keystore file from your workstation to the Cryptshare Server: https://winscp.net/eng/download.php#download2.

PuTTY

With "PuTTY", it is possible to create a SSH connection from a Windows PC to the Cryptshare Server, to work with the Linux command line (shell). PuTTY is only required for Linux-based systems (including Virtual Appliance or Hardware Appliance): http://www.putty.org/.

Generating a new Key Pair

For the creation of a public or private certificate, a key pair has to be generated first.

To do so, proceed as follows:

  1. Start KeyStore Explorer on your workstation.
  2. Create a new keystore:
    18945994.png
  3. Select "JKS" as the keystore type.
    Keystore-explorer-new-keystore-type.png
  4. Generate a new key pair:
    Keystore-explorer-create-keypair.png
  5. Select "RSA" as the encryption algorithm. The required key length depends on the specifications of your certificate provider. Usually, at least 2048 bit is required.
    Keystore-explorer-keypair-options.png
  6. In the following dialog, check these settings:
    Keystore-explorer-keypair-certificate-options.png
    1. "Version": "Version 3"
    2. "Signature Algorithm": "SHA-256 with RSA" (or better)
    3. "Validity Period": The period during which the subsequently generated certificate is to be recognised as valid, for example 2 years from the time of creation.
    4. After that, click on the icon behind the "Name" field.
  7. In the "Name" dialog, enter the details of your Cryptshare Server and company.
    Keystore-explorer-name-details.png
    • The Common Name (CN) must match the host name of the server as specified in the public URL (e.g. "webapp.cryptshare.com" if the URL is "https://webapp.cryptshare.com"). An incorrect entry will result in a certificate error.
    • The other details should match the results of a "whois" query of the domain.
  8. Confirm the two dialogs with "Ok".
  9. After that, you will be asked to enter an alias:
    Keystore-explorer-new-keystore-alias.png
    As Alias, you necessarily have to enter the following text: "com.cryptshare.server". If another name is chosen, the certificate for Cryptshare cannot be identified and a start of the Cryptshare Server will fail.
  10. Enter the password "CA0AZhuFM4NogQh". This is a default password that needs to be used when the system is delivered. For a description of how to change the password, please refer to Changing SSL passwords.
    Keystore-explorer-keypair-password.png
  11. Save the keystore to your hard disk:
    Keystore-explorer-save.png
    • As file name, choose "keystore".
    • A password is also required to protect the keystore. Use the same password here as for the certificate ("CA0AZhuFM4NogQh").


To use a Public SSL Certificate:

  1. In the main screen of KeyStore Explorer, right-click on the entry you have just created.
  2. Choose "Generate CSR" to generate a so-called "Certificate Signing Request" (CSR) for your Cryptshare Server.
    Keystore-explorer-generate-csr.png
  3. In the following dialog, select the destination path for the CSR file and, if necessary, adjust the options according to the specifications of your certificate provider.
    Keystore-explorer-save-csr.png
  4. A public certificate can be issued by a certificate provider now. To do this, please provide the CSR file you have just created. The procedure for this varies depending on the provider.
  5. As soon as your certificate provider issued a certificate, you can proceed with Installing a Public Certificate in the Keystore of the Cryptshare Server.


To use a Private SSL Certificate:

During the generation of the key pair, a certificate has already been created. Proceed with Installing a Public Certificate in the Keystore of the Cryptshare Server.

Installing a Public Certificate in the Keystore of the Cryptshare Server

Once you have received the public certificate from the certificate provider, you must then add it to the keystore of the Cryptshare server. Please proceed as follows:

  1. Open the KeyStore Explorer.
  2. Open the keystore file "keystore":
    Keystore-explorer-open.png
  3. Enter "CA0AZhuFM4NogQh" as password. This is a default password that needs to be used when the system is delivered. For a description of how to change the password, please refer to Changing SSL passwords.
  4. Right-click on the "com.cryptshare.server" entry.
  5. Choose "Import CA Reply":
    Keystore-explorer-import-ca-reply.png
    • Provide the certificate data using "From File" or "From Clipboard" depending on how the certificate has been provided. Enter the password "CA0AZhuFM4NogQh" again.
  6. If necessary, complete the certificate chain up to and including the root certificate with the following steps.
    Please note that if the certificate chain is incomplete, a security message may still appear in some browsers requiring manual intervention. Therefore, make sure that all intermediate certificates and the root certificate are added to the certificate chain in the correct order. 1. requested server certificate, 2. intermediate certificates, 3. root certificate. You can obtain the required information and files from your certificate provider.
    1. Right-click on the key pair entry of the Cryptshare Server.
    2. Choose "Edit Certificate Chain"  --> "Append Certificate...":
      Keystore-explorer-append-certificate.png
    3. Confirm the subsequent queries of the application. These may vary depending on the type of certificate being imported.
  7. Save the keystore.
  8. Proceed with the following secting.

Installing the Keystore on the Cryptshare Server

Linux-based Systems (including Hardware Appliance and Virtual Appliance)

  1. Start "WinSCP"
  2. In the login dialog, enter the connection details:
    Winscp-new-session.png
    • "File Protocol:" SCP
    • "Host name:" Host name or IP address of the Cryptshare Server.
    • "User name:" The user name with which the connection is to be made. On Hardware Appliance and Virtual Appliance, this is "root".
    • "Password:" The corresponding password. During the delivery of a Hardware Appliance or Virtual Appliance, this has been provided.
  3. Click on "Login" to log in to your Cryptshare Server and establish the connection.
  4. On the right-hand side, change to the "lib/security/" subdirectory of the installation directory. On Hardware Appliances, Virtual Appliances and other installations made with the RPM package, this is "/opt/cryptshare-3". Then copy the keystore file from your workstation into this directory.
    4325998.png


The keystore is on the Cryptshare server now. At this point, you have several possibilities to restart the Cryptshare service:

Using the administration interface:

  1. Open the administration interface of your Cryptshare Server in a browser (https://<Your Cryptshare Server host name>:8080).
  2. Login with an administrator account.
  3. Open the action menu in the upper right corner and click on "Restart".


Using the Linux shell:

  1. Connect to the Linux shell of the Cryptshare Server via PuTTY.
    1. Start PuTTY.
    2. Enter the Host name or IP address of the Cryptshare Server.
    3. Click on "Open".
      18946002.png
      The Linux shell is shown.
  2. Enter "root" at "login as", to connect as root user.
    18946001.png
  3. The system then requests the user's password. During the delivery of a Hardware Appliance or Virtual Appliance, this has been provided. Please note that when entering the password, it is not displayed on the screen and no placeholders (*) are displayed for the characters entered.
  4. Restart the Cryptshare service:
    rccryptshare restart (OpenSUSE, including Hardware Appliance or Virtual Appliance)
    systemctl restart cryptshare (other Linux-based systems)

Windows-based Systems

  1. Save the previously created keystore in the subdirectory "lib/security" of the installation directory.
  2. Restart the service "CryptshareService".