Establishing Secure Connections with Browsers

For the appliance to establish secure connections with browsers, it must have certificates installed that were issued by certificate authorities which the browsers recognize.

You will want to purchase certificates from third party certificate authorities (CAs) for most Secure Excelerator installations. A list of trusted CAs is included in your browser. For example, in Internet Explorer 5.5, you can view the list by clicking Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities.

NOTE:  As explained in Authentication Services in the Volera Excelerator 2.3 Administration Guide, you can have the appliance automatically generate certificates, or you can create them manually. However, both of these options utilize the appliance's internal CA and will result in browser messages indicating that the CA is unknown. Eliminating this message requires manually importing the appliance's trusted root certificate chain into each browser, an impractical requirement for most situations.

Preparing a Certificate Signing Request (CSR)

IMPORTANT:  You must obtain a separate appliance certificate for each Web server the appliance is accelerating.

Because obtaining certificates usually requires up to two weeks, make sure your installation timeline takes the certificate request process into account.

Prepare a CSR for each certificate by completing the following steps:

1. In the browser-based management tool, click System > Timezone and verify that the system's timezone settings are correct.

2. Click System > Date/Time and verify that the appliance's date and time settings are correct.

   The appliance's system time must be correct when you prepare the CSR. Errors usually indicate a discrepancy between the appliance's system time and your CA's system time.

3. Click Home > Certificate Maintenance > Create.

4. Type a certificate name that you easily associate with the accelerated Web server.

   The name must contain only alphanumeric characters and no spaces.

5. In the Subject Name field, type the Web server's DNS hostname.

6. Click the Signature Algorithm drop-down list > select the algorithm used by the original certificate (if applicable).

   NOTE:  If the Web server is not a secure server, there is, of course, no original certificate algorithm to match.

7. Click the RSA Key Size drop-down list > select the RSA key size used by the original certificate (if applicable).

   You cannot select a key size larger than the maximum key size on the appliance.

8. Click Use External Certificate Authority.

9. If you are requesting a VeriSign certificate, check the VeriSign CA checkbox. Otherwise, leave the box unchecked.

10. If desired, type a name for your organization or division.

    This is commonly referred to as the Organizational Unit and is used to differentiate organizational divisions or to describe departments or divisions.

11. Type the city or town where your organization does business.

    This is commonly referred to as the Locality.

12. Type the unabbreviated name of the state or province where the organization does business.

    This is commonly referred to as the State.

13. Type the ISO country code for the country where the organization does business.

    This is commonly referred to as the Country and must be a valid, two-character ISO country code.

14. Click OK.

15. Look at the Action and Status fields.

    The Action field should have red arrows on the left and the word Request displayed on a green background. The Status should be Building.

    The red arrows and green background indicate that you need to click Apply.

16. Click Apply.

    If any errors occur during the certificate creation process, they are displayed in the Error field on a red background.

17. If an error occurs, click Modify.

18. In the Modify Certificate dialog box, make the changes necessary to resolve the errors > click OK.

    IMPORTANT:  You must ensure that the appliance's system time is correct both when you prepare the CSR and when you store the certificate. Errors can indicate a date/time discrepancy between the appliance and your CA.

    To check the system time in the browser-based tool, click System > Timezone and/or Date/Time.

19. Click Apply and repeat the modification process until the Status field displays the words CSR in Progress on a yellow background.

Sending the CSR

After you have created a certificate signing request for each required certificate, you must send each request in a separate e-mail to the appropriate CA.

For each certificate, complete the following steps:

1. To open a new browser window that displays the CSR contents, click View CSR.

2. If you are using Internet Explorer, press F5 to reformat the window.

   IMPORTANT:  The header and trailer must be on lines separate from the body of the CSR.

   The header line will be similar to the following:

   ----- BEGIN NEW CERTIFICATE REQUEST-----

   The trailer line will be similar to the following:

   -----END NEW CERTIFICATE REQUEST-----

   If required, you must use hard returns to separate these two lines from the body of the CSR.

3. Select and copy the complete CSR text into your workstation's clipboard.

4. Paste the CSR text from the workstation's clipboard to the e-mail message or HTML form as required by your CA.

   The method for sending the CSR will vary, depending on the authority. VeriSign, for example, uses a web page interface.

   NOTE:  If you are using Internet Explorer and the paste operation does not work in your browser, you must download and install the Microsoft virtual machine on your workstation. To obtain this component, search for Microsoft VM on the Microsoft Web site.

5. Complete the application process required by your CA.

   IMPORTANT:  You must ask the CA to issue your certificates in Base-64 Encoded x.509 (.CER) format. Otherwise, the certificate installation instructions that follow will fail.

6. Wait for the certificates to be returned from the external CAs.

Storing the Certificate

After the external CAs respond with the certificates for each Web server, complete the following steps for each certificate you have received:

1. In the browser-based management tool, click System > Timezone and verify that the system's timezone settings are correct.

2. Click System > Date/Time and verify that the appliance's date and time settings are correct.

   The appliance's system time must be correct when you store the certificates. Errors usually indicate a discrepancy between the appliance's system time and your CA's system time.

3. In the browser-based tool, click Home > Certificate Maintenance > the name of the certificate you want to store > Store Certificate.

   NOTE:   If you requested a VeriSign certificate and you checked the VeriSign box on Step 9 under Preparing a Certificate Signing Request (CSR) , you will not need to paste the VeriSign CA certificate because VeriSign certificates are already stored on the appliance. Skip to Step 7.

4. Using Notepad, open the CA certificate you received from the CA.

   If you are using multiple CAs, ensure you use the CA certificate for the CA who issued the certificate you are storing (the name selected in Step 3).

5. Copy the file contents to the workstation's clipboard by clicking Edit > Select All > Edit > Copy.

6. In the browser-based tool, paste the CA certificate in the CA Certificate Contents box.

7. Using Notepad, open the Web server certificate you received that matches the name of the certificate you are storing (the name selected in Step 3).

8. Copy the file contents to the workstation's clipboard by clicking Edit > Select All > Edit > Copy.

9. In the browser-based tool, Click the Server Certificate Contents box.

10. Paste the Web server certificate from the clipboard to the Server Certificate Contents box.

11. Click Create.

12. Look at the Action and Status fields.

    The Status should be CSR in Process.

    The Action field should have red arrows on the left and the word Create displayed on a green background. The red arrows and green background indicate that you need to click Apply.

13. Click Apply.

14. Check to ensure there are no errors displayed on a red background in the Error field.

15. If the Status field displays Active and there are no errors indicated, the certificate is ready to use. Return to Step 3 and repeat the process for the next Web server certificate you need to store.

16. If the Error field displays an error, one of the following conditions has probably occurred:

    • The appliance's system time is incorrect.
    • One of the certificates doesn't match the CSR.

    Do the following:

    1. Verify that the appliance's system time is correct by clicking System > Timezone and/or Date/Time.

       The appliance's system time must be correct both when you prepare the CSR and when you store the certificate. Errors usually indicate a discrepancy between the appliance's system time and your CA's system time.

    2. Return to Step 3 and ensure the following:

       • The CA certificate you pasted in the CA Certificate Contents box (Step 6) matches the CA who issued the certificate you have selected in the Certificate Name list (Step 3).
       • The Web server certificate you pasted in the Server Certificate Contents box (Step 10) is the certificate received in response to the CSR request that created the entry you have selected in the Certificate Name list (Step 3).

Backing Up Your Certificates

You should always ensure that you have backup copies of all the SSL certificates used on your network. The Excelerator appliance lets you back up any certificates after you have stored them. For more information, see Backing Up a Certificate in the Volera Excelerator 2.3 Administration Guide.