75.2 Server Certificates and SSL Encryption

You should strengthen native GroupWise encryption with Secure Sockets Layer (SSL) communication between servers where GroupWise agents are installed. You can choose to purchase a server certificate from a commercial certificate authority (CA) or you can generate a self-signed certificate.

The advantage of using a self-signed certificate is that you can proceed to set up SSL immediately, without waiting to the certificate from a certificate authority. However, the first time the GroupWise client encounters the self-signed certificate, it prompts the user to accept the certificate. The advantage of a commercially generated certificate is that the GroupWise client accepts it automatically. You might choose to use a self-signed certificate initially, while you are waiting to obtain a commercially generated certificate.

If you have not already set up SSL on your system, you must complete the following tasks:

If you have already set up SSL on your system and are using it with other applications besides GroupWise, skip to Section 75.2.4, Configuring the Agents to Use SSL.

75.2.1 Purchasing a Commercially Generated Certificate

In order to purchase a commercially generated certificate, you must create a certificate signing request (CSR).

Generating a Certificate Signing Request

The certificate signing request (CSR) includes the hostname of the server where the agents run. Therefore, you must create a CSR for every server where you want the GroupWise agents to use SSL. However, all GroupWise agents running on the same server can all use the same certificate, so you do not need separate CSRs for different agents. The CSR also includes your choice of name and password for the private key file that must be used with each certificate. This information is needed when configuring the agents to use SSL.

Using the GroupWise Generate CSR Utility (GWCSRGEN)

One way to create a CSR is to use the GroupWise Generate CSR utility (GWCSRGEN). This utility takes the information you provide and creates a .csr file from which a public certificate file can be generated.

IMPORTANT:Starting in GroupWise 8.0.3 HP1, GWCSRGEN is no longer a recommended method for creating CSRs. You can still use it for convenience, but for optimum security, use a standard CSR generation method native to your operating system.

  1. Start the GroupWise Generate CSR utility.

    Linux:

    The utility (gwcsrgen) is installed to the /opt/novell/groupwise/agents/bin directory. You must be logged in as root to start the utility.

    Windows:

    The utility (gwcsrgen.exe) is located in the \admin\utility\gwcsrgen directory either in downloaded GroupWise 2012 software image or in the GroupWise software distribution directory.

    GroupWise Generate CSR utility
  2. Fill in the fields in the Private Key box. The private key information is used to create both the Private Key file and the certificate signing request file.

    Key Filename: Specify a name for the Private Key file (for example, server1.key). If you do not want the file stored in the same directory as the GWCSRGEN utility, specify a full path with the file name (for example, c:\certs\server1.key or /opt/novell/groupwise/certs/server1.key). The directory where you want to create the .key file must already exist.

    Linux:

    Use only lowercase characters.

    Windows:

    No limitations

    Key Length: The key length can be 1024, 2048, or 4096. The default is 1024.

    Key Password: Specify the password for the private key. The password can be up to 256 characters (single-byte environments).

    Verify Password: Specify the password again.

  3. Fill in the fields in the Certificate Signing Request box.

    CSR Filename: Specify a name for the certificate signing request file (for example, server1.csr). If you don’t want the file created in the same directory as the GWCSRGEN utility, specify a full path with the file name (for example, c:\certs\server1.csr or /opt/novell/groupwise/certs/server1.csr). The directory where you want to create the .csr file must already exist.

    Linux:

    Use only lowercase characters.

    Windows:

    No limitations

  4. Fill in the fields in the Required Information box. This information is used to create the certificate signing request file. You must fill in all fields to generate a valid CSR file.

    Country: Specify the two-letter abbreviation for your country (for example, US).

    State/Province: Specify the name of your state or province (for example, Utah). Use the full name. Do not abbreviate it.

    City: Specify the name of your city (for example, Provo).

    Organization: Specify the name of your organization (for example, Novell, Inc.).

    Division: Specify your organization’s division that this certificate is being issued to (for example, Novell Product Development).

    Hostname of Server: Specify the DNS hostname of the server where the server certificate will be used (for example, dev.provo.novell.com).

  5. Click Create to generate the CSR file and Private Key file.

    The CSR and Private Key files are created with the names and in the locations you specified in the Key Filename and CSR Filename fields.

  6. Skip to Submitting the Certificate Signing Request to a Certificate Authority.

For convenience, if you need to generate multiple certificates, you can record the information for the fields listed in Using the GroupWise Generate CSR Utility (GWCSRGEN) in a configuration file so that the information is automatically provided whenever you run the GroupWise Generate CSR utility. The configuration file must have the following format:

[Private Key]
Location = 
Extension = key

[CSR]
Location = 
Extension = csr

[Required Information]
Country = 
State = 
City = 
Organization = 
Division = 
Hostname = 

If you do not want to provide a default for a certain field, insert a comment character (#) at the beginning of that line. Name the file gwcsrgen.cnf. Save the file in the same directory where the utility is installed:

Linux:

/opt/novell/groupwise/agents/bin

Windows:

\grpwise\software\admin\utility\gwcsrgen

Linux: Using OpenSSL

For background information, see HOWTO Certificates.

  1. Open a terminal window, because root, and change to a convenient directory where you want to create the CSR.

  2. Enter the following command to create a private key file:

    openssl genrsa -out key_file_name.key 2048
    

    Replace key_file_name.key with a convenient name for the private key file, such as gw.key.

  3. Create the CSR:

    1. Enter the following command:

      openssl req -new key_file_name.key -out csr_file_name.csr
      

      Replace key_file_name.key with the key file that you created in Step 2.

    2. Enter the two-letter code for your country, such as US for the United States, DE for Germany, and so on.

    3. Enter your state or province.

    4. Enter your city.

    5. Enter the name of your company or organization.

    6. Enter your department or other organizational unit.

    7. Enter the fully qualified domain name of the server for which you are obtaining a certificate, such as gw3.novell.com.

    8. Enter the email address of a contact person for that server.

    9. (Optional) Enter a password for the CSR.

    10. (Optional) Enter a secondary name for your company or organization.

  4. Skip to Submitting the Certificate Signing Request to a Certificate Authority.

Windows Server 2008: Using IIS Manager
  1. Open IIS Manager.

  2. In the Connections pane, click the server to display the server Home view.

  3. In the Features View, double-click Server Certificate.

  4. In the Actions pane, click Create Certificate Request.

    Request Certificate dialog box
  5. In the Common Name field, specify the fully qualified domain name of the server for which you are obtaining a certificate, such as gw3.novell.com.

  6. Fill in the rest of the fields with the requested information, then click Next.

  7. The default cryptographic service provider and bit length are acceptable, so click Next.

  8. Specify a name for the CSR file, such as gw.csr, then click Finish.

    If you do not specify a full path name, the CSR file is created in the c:\Windows\System32 directory.

  9. Skip to Submitting the Certificate Signing Request to a Certificate Authority.

Windows Server 2003: Using Internet Information Services
  1. In the Control Panel, click Administrative Tools > Internet Information Services.

  2. Right-click a Web site, then click Properties.

  3. On the Directory Security tab, click Server Certificate, then click Next.

  4. Select Create a new certificate, then click Next.

  5. Select Prepare the request now, but send it later, then click Next.

  6. Specify an identifying name for the certificate, then click Next.

  7. Specify your company name and department name, then click Next.

  8. Specify the fully qualified domain name of the server for which you are obtaining a certificate, such as gw3.novell.com, then click Next.

  9. Specify the location of your company, then click Next.

  10. Specify a name for the CSR file, such as gw.csr, then click Next.

    If you do not specify a full path name, the CSR file is created in the c:\Windows\System32 directory.

  11. Review the information that you have provided, then click Next to create the CSR file.

  12. Continue with Submitting the Certificate Signing Request to a Certificate Authority.

Submitting the Certificate Signing Request to a Certificate Authority

To obtain a server certificate, you can submit the certificate signing request (server_name.csr file) to a certificate authority. If you have not previously used a certificate authority, you can use the keywords “certificate authority” to search the Web for certificate authority companies.

The process of submitting the CSR varies from company to company. Most provide online submission of the request. Follow their instructions for submitting the request. The certificate authority must be able to provide the certificate in Base64/PEM or PFX format.

75.2.2 Generating a Self-Signed Certificate

There are several ways to generate a self-signed certificate:

Using ConsoleOne on Windows or Linux

The Novell Certificate Server, which runs on a NetWare server with Novell eDirectory, enables you to establish your own Certificate Authority and issue server certificates for yourself. For complete information, see the Novell Certificate Server Web site.

To quickly create your own public certificate in ConsoleOne:

  1. Click Help > About Snapins to see if the Certificate Server snap-in to ConsoleOne is installed.

    If you need to install the snap-in on Linux, it is available in the version of ConsoleOne provided in the consoleone subdirectory in the downloaded GroupWise 8 software image. It is called the PKI Snapin.

    If you need to install the snap-in on Windows, you can download the snap-ins for Windows ConsoleOne from the Novell Downloads site.

    NOTE:You can create a server certificate in Novell iManager, as well as in ConsoleOne, using steps similar to those provided below.

  2. Browse to and select the container where your Server object is located.

  3. Click Tools > Issue Certificate, then in the Filename field, browse to and select the CSR file created in Generating a Certificate Signing Request.

    CSR Filename page
  4. Click Next.

    By default, your own organizational certificate authority signs the request.

  5. Click Next.

    Key Information page
  6. In the Type box, select Custom.

  7. In the Key Usage box, select all three usage options.

  8. Click Next.

  9. In the Validity Period field, select the length of time you want the certificate to be valid.

    You might want to change the setting to a longer period of time to best meet the needs of your organization.

  10. Click Next, view the summary information, then click Finish.

  11. Select File in Base64 Format.

    Save Certificate page
  12. Specify the path and filename for the certificate.

    NetWare:

    Filenames can consist of up to 8 characters, with extensions of up to 3 characters.

    Linux:

    Use only lowercase characters.

    Windows:

    No limitations

    You can retain the .b64 extension or use the more general .crt extension.

  13. Click Save.

Using YaST on Linux

  1. On the Linux server desktop, click Computer > YaST, then enter the root password.

  2. Click Security and Users > CA Management.

  3. If you did not create the YaST_Default_CA during the installation of Linux on the server:

    1. Click Import CA, specify the name and location of an existing CA, click OK, then skip to Step 4.

      or

      Click Create Root CA, then continue with Step 3.b.

    2. Fill in the following fields:

      CA Name: Specify the name of the CA certificate.

      Common Name: Specify the name of the Certificate Authority.

      Organization: Specify the name of your organization (for example, Novell, Inc.).

      Organizational Unit: Specify your organization’s division that this certificate is being issued to (for example, Novell Product Development).

      Locality: Specify the name of your city or other regional division (for example, Provo).

      State: Specify the name of your state (for example, Utah). Use the full name. Do not abbreviate it.

      Country: Select the name of your country (for example, USA).

    3. Click Next.

    4. Specify and verify the certificate password, then click Next.

    5. Click Create to create the root Certificate Authority on the server.

  4. After you have a Certificate Authority on the Linux server:

    1. Select YaST_Default_CA or the CA you just created, click Enter CA, specify the CA password, then click OK.

    2. On the Certificates tab, click Export > Export to File.

    3. Select Certificate and the Key Encrypted in PEM Format.

    4. Specify the certificate password and, if desired, specify and verify a new password for the new certificate file.

    5. Browse to and select the directory where you want to create the certificate file, then specify the filename for the certificate, adding a .pem extension.

    6. Click OK to create the certificate file, then click OK again to confirm.

    7. Exit from YaST.

  5. In a terminal window, log in as root, then separate the .pem file created by YaST into a .crt file and a .key file, as required by GroupWise:

    1. Use a text editor such as gedit to open the .pem file.

    2. Select and copy the BEGIN CERTIFICATE line through the END CERTIFICATE line into a new file, name it the same as the server name, and add a .crt extension to the filename when you save it.

    3. Select and copy the BEGIN RSA PRIVATE KEY line through the END RSA PRIVATE KEY line into a new file, name it the same as the server name, and add a .key extension to the filename when you save it.

    4. Exit the text editor.

Using the openssl Command on Linux

A convenient way to create a certificate from the Linux command line is to use the openssl command, as described in HOWTO Keys.

75.2.3 Installing the Certificate on the Server

After processing your CSRs, the Certificate Authority sends you a public certificate (server_name.b64) file for each CSR. You might need to extract the private key from the public certificate. The private key file might have an extension such as .pem or .pfx. The extension is unimportant as long as the file format is correct.

If you used the Issue Certificate feature in ConsoleOne, as described in Section 75.2.2, Generating a Self-Signed Certificate, it generated the public certificate file (server_name.b64) and private key file (server_name.key).

Copy the files to any convenient location on each server. The location must be accessible to the GroupWise agents that run on the server.

75.2.4 Configuring the Agents to Use SSL

To configure the agents to use SSL you must first enable them for SSL and then provide certificate and key file information. For detailed instructions, see the following sections: