90.2 Server Certificates and SSL Encryption

You should strengthen native GroupWise encryption with Secure Sockets Layer (SSL) communication between servers where GroupWise agents are installed. You can choose to purchase a server certificate from a commercial certificate authority (CA) or you can use a self-signed certificate provided by the GroupWise certificate authority.

The advantage of using a self-signed certificate is that you can proceed to set up SSL immediately, without waiting to the certificate from a certificate authority. However, the first time the GroupWise client encounters the self-signed certificate, it prompts the user to accept the certificate. The advantage of a commercially generated certificate is that the GroupWise client accepts it automatically. You might choose to use a self-signed certificate initially, while you are waiting to obtain a commercially generated certificate.

If you have not already set up SSL on your system, obtain a certificate for each GroupWise server, then configure the agents to use SSL:

If you have already set up SSL on your system and are using it with other applications in addition to GroupWise, skip to Section 90.2.3, Configuring the Agents to Use SSL.

90.2.1 Using a Self-Signed Certificate from the GroupWise Certificate Authority

The GroupWise certificate authority is managed by using the GroupWise Administration Utility (GWAdminUtil). Use the following commands:

Task

GroupWise Admin Utility Command

Generate a new server certificate for a domain server

gwadminutil ca -i /path_to_domain_folder

Generate a new server certificate for a post office server

gwadminutil ca -i /path_to_domain_folder

List existing certificates and serial numbers

gwadminutil ca -l

Display detailed information about a certificate

gwadminutil ca -p serial_number

Revoke a certificate

gwadminutil ca -r serial_number

For more information, see gwadminutil ca in the GroupWise 2014 R2 Utilities Reference

90.2.2 Using a Commercially Signed Certificate

In order to purchase a commercially signed certificate, you must create a certificate signing request (CSR).

Generating a Certificate Signing Request

The certificate signing request (CSR) includes the hostname of the server where the agents run. Therefore, you must create a CSR for every server where you want the GroupWise agents to use SSL. However, all GroupWise agents running on the same server can all use the same certificate, so you do not need separate CSRs for different agents. The CSR also includes your choice of name and password for the private key file that must be used with each certificate. This information is needed when configuring the agents to use SSL.

Linux: Using OpenSSL

For background information, see HOWTO Certificates.

  1. Open a terminal window, become root, and change to a convenient folder where you want to create the CSR.

  2. Enter the following command to create a private key file:

    openssl genrsa -out key_file_name.key 2048
    

    Replace key_file_name.key with a convenient name for the private key file, such as gw.key.

  3. Create the CSR:

    1. Enter the following command:

      openssl req -new -key key_file_name.key -out csr_file_name.csr
      

      Replace key_file_name.key with the key file that you created in Step 2.

    2. Enter the two-letter code for your country, such as US for the United States, DE for Germany, and so on.

    3. Enter your state or province.

    4. Enter your city.

    5. Enter the name of your company or organization.

    6. Enter your department or other organizational unit.

    7. Enter the fully qualified domain name of the server for which you are obtaining a certificate, such as gw3.novell.com.

    8. Enter the email address of a contact person for that server.

    9. (Optional) Enter a password for the CSR.

    10. (Optional) Enter a secondary name for your company or organization.

  4. Skip to Submitting the Certificate Signing Request to a Certificate Authority.

Windows Server 2008/2012: Using IIS Manager

  1. Open IIS Manager.

  2. In the Connections pane, click the server to display the server Home view.

  3. In the Features View, double-click Server Certificates.

  4. In the Actions pane, click Create Certificate Request.

    Request Certificate dialog box
  5. In the Common Name field, specify the fully qualified domain name of the server for which you are obtaining a certificate, such as gw3.novell.com.

  6. Fill in the rest of the fields with the requested information, then click Next.

  7. The default cryptographic service provider and bit length are acceptable, so click Next.

  8. Specify a name for the CSR file, such as gw.csr, then click Finish.

    If you do not specify a full path name, the CSR file is created in the c:\Windows\System32 folder.

  9. Continue with Submitting the Certificate Signing Request to a Certificate Authority.

Submitting the Certificate Signing Request to a Certificate Authority

To obtain a server certificate, you can submit the certificate signing request (server_name.csr file) to a certificate authority. If you have not previously used a certificate authority, you can use the keywords “certificate authority” to search the web for certificate authority companies.

The process of submitting the CSR varies from company to company. Most provide online submission of the request. Follow their instructions for submitting the request. The certificate authority must be able to provide the certificate in Base64/PEM or PFX format.

90.2.3 Configuring the Agents to Use SSL

To configure the agents to use SSL you must first enable them for SSL and then provide certificate and key file information. For detailed instructions, see the following sections: