| |
The proxy server has public key infrastructure mechanisms for generating, importing, using, and maintaining public key certificates. These include:
The appliance uses these auto-generated certificates for certain appliance-specific secure communications, such as obtaining filtering lists.
These can also be used for secure connections with browsers using appliance caching services. However, browsers won't recognize the appliance CA unless they are specifically configured to do so. This causes confirmation messages to be generated that can confuse users and cause them to not use the appliance's caching services.
To create appliance-specific certificates, see the instructions in Creating Certificates Using the Appliance CA.
Generating a CSR is the first step to obtaining a certificate from an external CA. After you obtain certificates from one or more external CAs, you can use the appliance certificate maintenance features to monitor certificate status, back up certificates in case the appliance fails, and replace certificates when they expire. To generate a CSR and store the issued certificate, complete all the instructions in Obtaining a Certificate from an External CA
Because the creation process is different for internal and external certificates, they are described separately in Creating Certificates Using the Appliance CA and Obtaining a Certificate from an External CA.
As you create certificates on the appliance, you should observe the following guidelines:
For example, you might pick Foo for the name of the foo.gov Web server accelerator or Marketing for the transparent service in the marketing department.
For example, the www.foo.gov Web server accelerator certificate must have a Subject Name of www.foo.gov.
Use the instructions in this section if you plan to configure the browsers that will access the appliance's caching services. Browsers will need to import the appliance's CA in order to accept its certificates as legitimate.
If this is not done, users will get certificate confirmation messages that might confuse them.
To create an appliance CA certificate:
In the browser-based management tool, click Home > Certificate Maintenance > Create.
Type an appropriate name for the certificate as explained in Naming Certificates.
Type an appropriate subject name as explained in Naming Certificates.
Click the Signature Algorithm drop-down list > select the algorithm you want to use (SHA-1 or MD-5).
Click the RSA Key Size drop-down list > select the RSA key size that you want to use.
You cannot select a key size larger than the maximum key size on the appliance.
Check Use Local Certificate Authority.
Click the Validity Period drop-down list > select the length of time that you want the certificate to be valid.
Click OK.
Look at the Action and Status fields.
The Action field should have red arrows on the left and the word Create displayed on a green background. The Status should be Building.
The red arrows and green background indicate that you need to click Apply.
Click Apply.
If any errors occur during the certificate creation process, they are displayed in the Error field on a red background.
If an error occurs, click Modify
In the Modify Certificate dialog box, make the changes necessary to resolve the errors > click OK.
Click Apply and repeat the modification process until the Status field displays the word Active.
In the browser-based management tool, click Home > Certificate Maintenance > Create.
Type an appropriate name for the certificate as explained in Naming Certificates.
Type an appropriate subject name as explained in Naming Certificates.
Click the Signature Algorithm drop-down list > select the algorithm you want to use (SHA-1 or MD-5).
Click the RSA Key Size drop-down list > select the RSA key size that you want to use.
You cannot select a key size larger than the maximum key size on the appliance.
Click Use External Certificate Authority.
If you are requesting a VeriSign* certificate, check the VeriSign CA check box. Otherwise, leave the box unchecked.
If desired, type a name for your organization or division.
This is commonly referred to as the Organizational Unit and is used to differentiate organizational divisions or to describe departments or divisions.
Type the city or town where your organization does business.
This is commonly referred to as the Locality.
Type the unabbreviated name of the state or province where the organization does business.
This is commonly referred to as the State.
Type the International Standards Organization (ISO) country code for the country where the organization does business.
This is commonly referred to as the Country and must be a valid, two-character ISO country code.
Click OK.
Look at the Action and Status fields.
The Action field should have red arrows on the left and the word Request displayed on a green background. The Status should be Building.
The red arrows and green background indicate that you need to click Apply.
Click Apply.
If any errors occur during the certificate request process, they are displayed in the Error field on a red background.
If an error occurs, click Modify
In the Modify Certificate dialog box, make the changes necessary to resolve the errors > click OK.
Click Apply and repeat the modification process until the Status field displays the words CSR in Progress on a yellow background.
NOTE: As an added precaution, "update clone" can be used to help safeguard the private key of the certificate until the certificate is returned and stored. After the certificate is returned and stored, it can then be backed up. "Update clone" is found in the iChain Proxy Server browser-based administration tool under System > Actions.
Click View CSR to open a new browser window that displays the CSR contents.
Select and copy the complete CSR text into your computer's clipboard. Internet Explorer and other browsers sometimes combine them with the CSR text that is in between. Clicking the browser refresh/reload button will often fix the problem. If it doesn't, simply insert appropriate carriage returns during the next step. After you have copied the text you can close that browser window.
If you don't fix the defect, you can view the source of the HTML file and copy and paste from the source file.
Paste the CSR text from the clipboard to the e-mail message or HTML form as required by your CA.
The method for sending the CSR will vary depending on the authority. VeriSign, for example, uses a Web page interface.
IMPORTANT: The header and trailer must be on lines separate from the body of the CSR.
The header line will be similar to the following:
----- BEGIN NEW CERTIFICATE REQUEST-----
The trailer line will be similar to the following:
-----END NEW CERTIFICATE REQUEST-----
If required, you must use hard returns to separate these two lines from the body of the CSR.
Wait for the certificate to be returned from the external CA.
After the external CA responds with the certificate:
In the browser-based tool, click Home > Certificate Maintenance > the name of the certificate you want to store > Store Certificate.
In the Store Certificates dialog box, paste the CA certificate into the CA Certificate Contents box.
NOTE: If you requested a VeriSign certificate and you checked the VeriSign box in Step 7, the CA Certificate Contents box is dimmed. You do not need to paste the VeriSign CA certificate because VeriSign certificates are already stored on the appliance.
Paste your newly issued certificate in the Server Certificate Contents box.
Click Create.
Look at the Action and Status fields.
The Action field should have red arrows on the left and the word Create displayed on a green background. The Status should be CSR in Process.
The red arrows and green background indicate that you need to click Apply.
Click Apply.
If any errors occur during the certificate creation process, they are displayed in the Error field on a red background.
If an error occurs, click Store Certificate
In the Store Certificate dialog box, make sure the correct certificates are pasted in the boxes > click OK.
Click Apply and repeat the modification process until the Status field displays the words Active on a green background.
To view (export) a certificate's Certificate of Authority (CA):
In the browser-based management tool, click Home > Certificate Maintenance > the certificate you want to export > Export CA Certificate > View Source of HTML.
The contents of the CA certificate are displayed in a new browser window.
Only certificates that have an error or the status Building can be modified.
In the browser-based management tool, click Home > Certificate Maintenance > the certificate you want to modify > Modify.
After making the necessary changes, click OK to accept the changed values.
In the Modify Certificate dialog box, make the desired changes.
If the Action field displays the word Request or Create on a red background, you must click Apply to make the changes.
If a certificate has expired or you are unable to resolve an error, you might want to delete a certificate.
IMPORTANT: Use caution when deleting certificates. You should never delete system-generated certificates.
In the browser-based management tool, click Home > Certificate Maintenance > a certificate you have generated that has expired or has an unresolvable error.
Click Delete.
In the Delete Certificate dialog box, click Yes.
The certificate is removed from the certificates list.
If you have deleted the certificate in error, click Cancel.
Click Apply to remove the certificate from the appliance.
After clicking Apply, the certificate cannot be restored unless you have created a backup copy.
Only active certificates can be backed up.
In the browser-based management click Home > Certificate Maintenance > the certificate you want to back up.
Click Backup.
In the Backup Certificate dialog box, type a password to use when restoring the certificate.
In the Confirm Password field, retype the same password.
IMPORTANT: Although the password is optional, we strongly suggest you use one. If you don't enter a password, the backed-up certificate can be used by anyone who has access to the file.
Check either Disk or Floppy to indicate where the backup file should be placed.
Click OK.
The Action field should display red arrows and either Backup (Disk) or Backup (Floppy) on a green background.
If you want to cancel the backup action, click Cancel Backup by the Action field.
If the Action field is green, click Apply.
The Backed Up status field for each certificate indicates whether a certificate has been backed up and where the backup file was placed (disk, floppy, or both).
If any errors occur during the backup process, they are displayed on the Error line and the background turns red.
You can then click Backup and repeat the process taking care to avoid the errors indicated.
Backed-up certificates are stored in a file named CERTIFICATE.PFX, where CERTIFICATE is the name of the certificate that was backed up.
IMPORTANT: If the certificate was backed up to the appliance hard disk, you should transfer the file from the appliance to another secure location, or the backup copy will be lost if the appliance fails and has to be reimaged.
Certificate backup files are stored in ETC/PROXY/APPLIANCE/CONFIG/USER/CERT/BACKUP. See Using FTP for help using appliance FTP services.
If the certificate was backed up to a floppy disk, the file is in the root directory of the disk and the floppy should be stored in a safe place in case the certificate must be restored.
Only certificates that were previously backed up can be restored.
Prior to completing the following steps, make sure the backup file is in one of the following locations:
Unless the appliance has been damaged or reimaged, the backup file will be in the expected location. If the file is not on the appliance, you must retrieve a copy from your secure location and either copy it to a floppy disk or to the appliance using FTP.
In the browser-based management tool, click Home > Certificate Maintenance > Restore.
In the Restore Certificate dialog box, type the certificate name, which is the PFX filename.
Type the same password you used when creating the backup file.
Click OK.
Click Disk or Floppy to indicate where the backup file is.
Click OK.
The Action field should display red arrows and either Restore (Disk) or Restore (Floppy) on a green background. The Status field should display Building.
If you want to cancel the restore action, click Cancel Restore by the Action field.
Click Apply.
If any errors occur during the restore process, they are displayed on the Error line and the background for the text will turn red.
The only way to fix a restore error is to delete the certificate and try the restore process again.
A restoration failure might mean that the backup file didn't exist or you had the wrong password.
Currently if accelerators have mutual authentication (this may include mutual and other authentication) enabled, when users present bad certificates (expired or revoked) to access these accelerators, the browsers display a "page not found" error. The certificate error handling feature enables administrators to configure the error messages so that the define what the problem is with a particular certificate. For example, if a certificate is expired, the administrator can configure an error message to let the user know that the certificate has expired. This feature helps administrators more effectively troubleshoot certificate problems. It also helps the user better understand why his or her certificate may not be working.
NOTE: In iChain 2.1, if users use mutual authentication or other authentication and cancel a certificate or have a bad certificate, the authentication will be failed at mutual authentication and they will not be prompted for other authentication. By turning on the certificate error handling feature, users will be prompted for other authentication. There will be no error page for failure of mutual authentication.
To use the certificate error handling feature, at the Authentication tab, a user must check the "Send an error page when a Mutual-SSL certificate error occurs" option, then select the language from the drop-down list (see Figure 27).
NOTE: The certificate error handling feature applies to all accelerators. After this feature is enabled or disabled, the user must restart the iChain server. Also, if users change the error messages and/or error pages, the iChain server must be restarted.
Figure 27
Certificate Error Handling
There are two files, CRTERRPG.CFG (message file) and CRFTERRPG.HTM (error page). These files are located at: SYS:\ETC\PROXY\DATA\ERRPAGE\NLS\ENGLISH.
The CRTERRPG.CFG file is for error status and description in the CERERRPG.HTM.
There are 58 messages in the CRTERRPG.CFG file. Users can change the content after "Translated Message=". For messages 9 and 13, uses must keep "%d" for error code.
The messages are paired for status and description fields in the error page. For example, message 11 (status) and message 12 (description) are shown here:
Figure 28
Original Message 11 (Status) and Message 12 (Description)
When customized, message 11 (status) and 12 (description) may look like this:
Figure 29
Customized Message 11 (Status) and Message 12 (Description)
NOTE: Only the content following "Translated Message=" is changed.
To customize an error page, change the static messages in the CRTERRPG.HTM. Users can redesign their own pages as long as they use the CRTERRPG.HTM as the file name and they have <ERROR_STATUS> and <ERROR_DESCRIPTION> fields in the HTML page.
The current default language is English, however, users can translate error messages and the error page in other languages.
To localize error messages:
In the CRTERRPG.CFG file, change the character set from ISO-8859-1 to ISO-10646-1.
Translate the content of the Translated Message for every message (Message 1 to 14). The *_STATUS and *_DESC messages in the CRTERRPG.CFG file are used to replace the <ERROR_STATUS> and <ERROR_DESCPTION> fields in the CRTERRPG.HTM file.
To localize an error page, translate the static messages in the CRTERRPG.HTM. Users can redesign their own pages as long as they use the CRTERRPG.HTM as the file name and they have <ERROR_STATUS> and <ERROR_DESCRIPTION> fields in the HTML page.
| |