7.4 Digital Certificates

The Novell Appliance ships with a self-signed digital certificate. Instead of using this self-signed certificate, you should use a trusted server certificate that is signed by a trusted certificate authority (CA) such as VeriSign or Equifax.

The certificate works for both the Novell iPrint Appliance and the iPrint remote renderer (ports 9443 and 8443). You do not need to update your certificate when you update the iPrint Appliance software.

Complete the following sections to change the digital certificate for your Novell Appliance. You can use the digital certificate tool to create your own certificate and then have it signed by a CA, or you can use an existing certificate and key pair if you have one that you want to use.

7.4.1 Using the Digital Certificate Tool

Creating a New Self-Signed Certificate

On a Web browser, use either the DNS name or the IP address to access the Management Console. For example, https://10.0.0.1:9443 or https://iprint.example.com:9443.
Click the Appliance System Configuration icon.
Click Digital Certificates.
In the Key Store drop-down list, ensure that Web Application Certificates is selected.
Click File > New Certificate (Key Pair), then specify the following information:

Alias: Specify a name that you want to use to identify and manage this certificate.

Validity (days): Specify how long you want the certificate to remain valid.

Key Algorithm: Select either RSA or DSA.

Key Size: Select the desired key size.

Signature Algorithm: Select the desired signature algorithm.

Common Name (CN): This must match the server name in the URL in order for browsers to accept the certificate for SSL communication.

Organizational Unit (OU): (Optional) Small organization name, such as a department or division. For example, Purchasing.

Organization (O): (Optional) Large organization name. For example, Novell, Inc.

City or Locality (L): (Optional) City name. For example, Provo.

State or Province (ST): (Optional) State or province name. For example, Utah.

Two-letter Country Code (C): (Optional) Two-letter country code. For example, US
Click OK to create the certificate.

After the certificate is created, it is self-signed.
Make the certificate official, as described in Getting Your Certificate Officially Signed.

Getting Your Certificate Officially Signed

On the Digital Certificates page, select the certificate that you just created, then click File > Certificate Requests > Generate CSR.

NOTE:Web Application Certificates should be selected in key store for selecting a certificate for officially sign the certificate.
Complete the process of emailing your digital certificate to a certificate authority (CA), such as Verisign.

The CA takes your Certificate Signing Request (CSR) and generates an official certificate based on the information in the CSR. The CA then mails the new certificate and certificate chain back to you.
After you have received the official certificate and certificate chain from the CA:
1. Revisit the Digital Certificates page.
2. Click File > Import > Trusted Certificate. Browse to the trusted certificate chain that you received from the CA, then click OK.
3. Select the self-signed certificate, then click File > Certification Request > Import CA Reply.
4. Browse to and upload the official certificate to be used to update the certificate information.
  
  On the Digital Certificates page, the name in the Issuer column for your certificate changes to the name of the CA that stamped your certificate.
Activate the certificate, as described in Section 7.4.3, Activating the Certificate.

7.4.2 Using an Existing Certificate and Key Pair

When you use an existing certificate and key pair, use a .P12 key pair format.

Go to the Digital Certificates page by clicking Digital Certificates from the Novell Appliance Configuration.
On the Digital Certificates page, in the Key Store drop-down menu, select JVM Certificates.
Click File > Import > Trusted Certificate. Browse and select your existing certificate, then click OK.
Click File > Import > Trusted Certificate. Browse and select your existing certificate chain for the certificate that you selected in Step 3, then click OK.
Click File > Import > Key Pair, then browse to and select your .P12 key pair file, specify your password if needed, then click OK.
Continue with Section 7.4.3, Activating the Certificate.

7.4.3 Activating the Certificate

On the Digital Certificates page, in the Key Store drop-down menu, select Web Application Certificates.
Select the certificate that you want to make active, click Set as Active, then click Yes.
Verify that the certificate and the certificate chain were created correctly by selecting the certificate, then clicking View Info.

NOTE:When you activate a certificate, the Set as Active button might still be enabled for that certificate. You can ignore it, as it does not affect the certificate activation.

7.4.4 Managing Certificates

All certificates that are included with the IBM Java package that is bundled with the version of SLES that iPrint Appliance ships with, are installed when you install iPrint Appliance.

You can use the Digital Certificates tool on the iPrint Appliance to remove certificates that are not used by your organization, if you are concerned about keeping them.

Also, you can use the Digital Certificates tool on the iPrint Appliance to maintain the certificate store by removing certificates that have expired and then installing new certificates as needed, according to your organization’s security policies.

To access the Digital Certificates tool:

Click Digital Certificates in the Novell Appliance Configuration page.

iPrint Appliance uses only the certificates that relate to LDAP and SMTP. In the Key Store drop-down menu, under Web Application Certificates, a self-signed certificate is displayed. This certificate is required for iPrint Appliance, and must not be deleted.

In the Key Store drop-down menu, under JVM Certificates, you can delete all the certificates except the edir_root_ca certificate, and any other LDAP or SMTP certificates that you might have imported.