2.3.1 Introduction
The certificates management is related to the server name and the services provided (please refer to 2.2 Network Segregation for details about the certificate assignation to a specific NIC/IP/name). In order to provide to the client a sure match of your identity you need to load and configure a secure certificate bonded to your server name (ie: name.server.tld).
| Subtitle |
|---|
| Prefix | figure |
|---|
| SubtitleText | Certificate configuration, default certificate installed |
|---|
| AnchorName | default_certificate |
|---|
|
|
You can get the certificates configuration page using the Certificate Management link in the main menu. As shown above the default page is listing the installed TLS Keypair.
| Info |
|---|
By default, on it's installed one "*.madama.at" wildcard certificate as shown in | Xref |
|---|
| AnchorName | default_certificate |
|---|
|
|
| Subtitle |
|---|
| Prefix | figure |
|---|
| SubtitleText | The tabs to access the two section related with the certificate management |
|---|
| AnchorName | tls tabs |
|---|
|
|
From this page you can decide to view and delete your keypairs or the Certification Authority entries, using the tabs shown in the above
.
| Subtitle |
|---|
| Prefix | figure |
|---|
| SubtitleText | link for creating new key and CSR or add new CAs |
|---|
| AnchorName | new_tls_new_ca |
|---|
|
|
Instead if you need to create a new TLS key pair or add a new CA, then you have to use the buttons above the "TLS Keypair" list (the ones shown in
).
2.3.2 Create New Certificate
Add a new Certificate is a delicate matter, because it involves sensible informations like private Key Management and concealing. Adding a New Certificate on
means that you can create your own
Certificate Signing Request directly on
and no need for external Private Key creation/management tools. Of course you need to have your CSR signed by a known Certificate Authority before you can actually use it.
Certificate Creation is thus split in two steps:
- New Key and CSR creation (before CA sign)
- New Certificate upload (after CA sign)
New Key and CSR
So first of all you start by creating a CSR: click on the New Key and CSR link above the certificate table.
| Subtitle |
|---|
| Prefix | figure |
|---|
| SubtitleText | New certificate form |
|---|
| AnchorName | new_certificate |
|---|
|
|
You are redirected on page shown in
| Xref |
|---|
| AnchorName | new_certificate |
|---|
|
. Here you can fill the form with all basics data needed to create a Certificate Signing Request.
| Info |
|---|
All the fields in above form are standard ones for creating new TLS Key pairs/Certificate Signing Requests. |
| Subtitle |
|---|
| Prefix | figure |
|---|
| SubtitleText | example values for new CSR |
|---|
| AnchorName | CSR_creation_example |
|---|
|
|
Once you're done you can just press Generate button at the bottom of the form.
| Subtitle |
|---|
| Prefix | figure |
|---|
| SubtitleText | new CSR created and listed |
|---|
| AnchorName | new_CSR_created |
|---|
|
|
A warning confirming creation and a new row in TLS Keypair list shows generation process has been successful.
| Tip |
|---|
Using this Certificate creation process you don't have to deal directly with Private Keys. |
Now you can download your CSR to make a Certificate Authority sign it, creating a brand new Server Certificate.
| Subtitle |
|---|
| Prefix | figure |
|---|
| SubtitleText | Edit CSR form |
|---|
| AnchorName | Edit CSR |
|---|
|
|
Just click on Certificate's name in main list and you get form shown in
. From here you can fully manage your CSR, upgrading it to a proper Certificate or modifying its description.
| Subtitle |
|---|
| Prefix | figure |
|---|
| SubtitleText | CSR management links |
|---|
| AnchorName | Edit_CSR_links |
|---|
|
|
Anyway you need to Download CSR before you're done with Certificate creation, so use first link shown in detailed view
.
New Certificate upload
Once you have your CSR you just follow instructions by CA of your choice to obtain a new Certificate. As it's done, you can get back to form in
and this time
Upload certificate.
| Subtitle |
|---|
| Prefix | figure |
|---|
| SubtitleText | Upload Certificate form |
|---|
| AnchorName | upload_certificate |
|---|
|
|
You can fill Certificate text box with actual Certificate as it has been release from Certificate Authority. If you got also some intermediate Certificate, then you have to paste it in Cert Chain.
| Warning |
|---|
All the fields must be in PEM (Privacy Enhanced Mail) format. |
When your done you just press the Upload button on the bottom line: will validate entire Certificate Chain and if it went thought it then you should have a new line in you TLS/Keypair.
| Subtitle |
|---|
| Prefix | figure |
|---|
| SubtitleText | Details of the new Certificate |
|---|
| AnchorName | new_cert_details |
|---|
|
|
If you click on Certificate's Id then you can read Certificate's details as shown in | Xref |
|---|
| AnchorName | new_cert_details |
|---|
|
.
| Subtitle |
|---|
| Prefix | figure |
|---|
| SubtitleText | Edit new Certificate |
|---|
| AnchorName | new_cert_detail |
|---|
|
|
You can notice that now you can also Download both Certificate and Certificate chain. Upload certificate can come handy in case of renewal.
| Warning |
|---|
Even if it's possible to extend Certificates validity period, it is a good practice to create a fresh new CSR each time instead. We also think it is wise to keep validity period of each Certificate just one year long. |
| Anchor |
|---|
| 2.3.3_add_certification_authority |
|---|
| 2.3.3_add_certification_authority |
|---|
|
2.3.3 Add Certification Authority
You might need to upload a new CA (Certification Authority) if you tried to install a Certificate which wasn't signed by an installed CA.
| Info |
|---|
By default contains a default list of pre-loaded Certification Authorities. |
| Subtitle |
|---|
| Prefix | figure |
|---|
| SubtitleText | the default CA list |
|---|
| AnchorName | clean_CA_list |
|---|
|
|
The new CA installation becomes mandatory because without a complete certificate chain the new TLS key pair would not be accepted by
. If you need to upload a new certificate, click on the
Add certification authority button above the certificate list table.
| Subtitle |
|---|
| Prefix | figure |
|---|
| SubtitleText | New Certification Authority |
|---|
| AnchorName | new_CA |
|---|
|
|
You get the form shown in
which is pretty straightforward. You just have to cut 'n' paste the CA's content in the
Certificate box and click on the
Create button at the bottom.
| Subtitle |
|---|
| Prefix | figure |
|---|
| SubtitleText | CA list updated |
|---|
| AnchorName | CA_list_updated |
|---|
|
|
As shown in
| Xref |
|---|
| AnchorName | CA_list_updated |
|---|
|
the Certification Authority list shows a new entry. You can check the entry by subject (which is the entity that release the certificate) and the expiry Date (that shows how long the certificate is considered valid).
2.3.4 Delete TLS key pair
In a day-by-day secure VoIP service administration it's not unusual to delete a TLS key pair. The procedure starts right at the Certificate Management page (the one shown in
| Xref |
|---|
| AnchorName | default_certificate |
|---|
|
.
| Subtitle |
|---|
| Prefix | figure |
|---|
| SubtitleText | the TLS key pair list with a testing entry to be deleted |
|---|
| AnchorName | tls_key_pair_to_delete |
|---|
|
|
In
| Xref |
|---|
| AnchorName | tls_key_pair_to_delete |
|---|
|
you can see we added an entry conveniently named
testing entry to be deleted and that's what we're going to do.
| Warning |
|---|
Please make sure no services got association with the TLS entry you're going to remove, or else the deletion would fail. |
First you click on the chosen entry and get a detail of the TLS key pair (as in
| Xref |
|---|
| AnchorName | new_cert_details |
|---|
|
).
| Subtitle |
|---|
| Prefix | figure |
|---|
| SubtitleText | Update and Delete buttons |
|---|
| AnchorName | cert_update_delete_buttons |
|---|
|
|
At the bottom of the form there's one Delete button. Just press it.
| Subtitle |
|---|
| Prefix | figure |
|---|
| SubtitleText | the deletion is confirmed |
|---|
| AnchorName | tls_key_pair_deleted |
|---|
|
|
Confirm the deletion in the following pop-up windows. After that you get the new TLS key pair list without the deleted entry and with a warning which explains the entry has been deleted (as in
| Xref |
|---|
| AnchorName | tls_key_pair_deleted |
|---|
|
).
2.3.5 Delete Certification Authority
You cannot edit an entry in the CA list, but you still can delete a CA and create a new one for replacement. That said, the way for deleting a CA entry is quite simple. From the CA list shown in
| Xref |
|---|
| AnchorName | CA_list_updated |
|---|
|
choose the CA you want to expunge and press the
Delete link in the last right column.
| Subtitle |
|---|
| Prefix | figure |
|---|
| SubtitleText | CA's details |
|---|
| AnchorName | delete_CA_1 |
|---|
|
|
First you get a detail of the certificate you're going to delete. Just press the Delete button at the bottom and confirm your choice in the next pop up window.
| Subtitle |
|---|
| Prefix | figure |
|---|
| SubtitleText | The CA list updated and the warning |
|---|
| AnchorName | delete_CA_2 |
|---|
|
|
You receive a confirmation about the deletion in the new CA list page (shown above in
). Plus the list no more shows the deleted CA entry.