Skip to main content

How can we help you?

Druva Documentation

How to Install SSL Certificate from a Trusted CA on inSync? (v5.4 and above)


inSync uses a 256-bit, SSL v3 Self Signed certificate in X.509 PEM format for encrypting transmission between the inSync server and client. It also uses the certificate for the users inSync Web page. Since this certificate is self-signed, it is not trusted by web browsers. So, when a client browser (IE, Firefox etc.) connects, users get a warning prompting them not to visit the site if they do not trust it. 

To get rid of this warning, you have to provide a trusted certificate from a Certification Authority (CA). The default SSL certificate for inSync is located at -


This certificate needs to be replaced by the certificate that you get from a trusted CA like Thawte, Verisign, etc.

This article explains how you can generate and install an SSL Certificate obtained from a CA on the inSync server.

What is SSL?
Creating a CSR request
Loading the SSL Certificate in inSync Server Web Restore Portal
Using Chained SSL Certificate in inSync Server

What is SSL? 

The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers. The protocol uses a third party Certificate Authority (CA), to identify one end or both end of the transactions.  

To create an SSL certificate you first create two cryptographic keys - a Private Key and a Public Key. Your Private Key must remain private and secure.

The Public Key does not need to be secret and is placed into a Certificate Signing Request (CSR). The CSR request is sent to the Certification Authority, who will validate your details and issue an SSL Certificate. Your server will match your issued SSL Certificate to your Private Key. If the certificate and Key matches, it will then be able to establish an encrypted link between the server and the client.

Creating a CSR request

You can use an open Source tool  OpenSSL, to create a CSR. The following section explains the steps required to generate a CSR using OpenSSL.

Using OpenSSL to generate CSR and Private Key

The first step of enrolling for your SSL Certificate is to generate a Certificate Signing Request (CSR). A CSR is a file containing your certificate application information, including your Public Key. 

  1. Install OpenSSL

You will be required to download the latest version of OpenSSL. For Windows, go to to download and install it. 

 Note: OpenSSL requires Visual C++ 2008 Redistributables which can be downloaded from the same website.

  1. Generate a Pair of Private Key and Public Certificate Signing Request

After installing OpenSSL, you can generate a  Private Key and a Public CSR. To generate a pair of Private Key and Public CSR:

  • Open a command prompt with Administrator privileges , and navigate to C:\OpenSSL-Win32\bin> and run the following command: 
Set OPENSSL_CONF=c:\openssl-win32\bin\openssl.cfg 
openssl req -out server.csr -new -newkey rsa:2048 -nodes -keyout server.key 
openssl rsa -in server.key -out myserver.key

Note:  If you don't run the above command you will get the following error: 

WARNING: can’t open config file: /usr/local/ssl/openssl.cnf 

  • This creates two files in C:\OpenSSL-Win32\bin\directory -  myserver.key and server.csr.  The file ‘myserver.key’ contains a private key, do not disclose this file to anyone. Carefully protect the private key. In particular, be sure to backup the private key, as there is no means to recover it, should it be lost. 

The private key is used as input in the command to generate a Certificate Signing Request (CSR) file ‘server.csr’.

  1. Enter details for CSR

Enter details to be entered into your CSR.  It is called a Distinguished Name or a DN. For some fields, there will be a default value. If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]: GB
State or Province Name (full name) [Some-State]: Yorks
Locality Name (eg, city) []: York
Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
Organizational Unit Name (eg, section) []: IT
Common Name (eg, YOUR name) []:
Email Address []:

Common Name
Use the name of the web server as the Common Name (CN). If the domain name is, append the domain to the host-name (use the fully qualified domain name, FQDN).The Common Name field should be the FQDN, or the web address for which you plan to use your Certificate, for example, the specific area of your site you wish clients to connect to using SSL. 

For example, an SSL Certificate issued for will not be valid for If the web address to be used for SSL is, ensure that the common name submitted in the CSR is

The fields for email address, optional company name and challenge password can be left blank for a server certificate. 

Note: You can also use Microsoft IIS to generate a CSR and private key. Please refer to this link for detailed instructions. 

Loading the SSL Certificate in inSync Server Web Restore Portal

The CSR and Private Key are now created. You must now get the SSL certificate from your CA.

  1. Online Enrollment

On the CA website, you will be requested for CSR details. Open the ‘server.csr’ in a text editor and copy and paste the contents into the online enrollment form. The CA will verify your details, and issue your signed SSL certificate.

  1. Loading the SSL certificate on the inSync Server

After you get the signed certificate from your certifying authority, follow these steps to create a new inSyncServerSSL.key file.

  •  Stop all the the Druva inSync related services on the server.
On Windows 
Stop the Druva inSync Master Config Server, Druva inSync Master Control Panel and Druva inSync Master Sync Server services from the services console.
On Linux 

Use the following command: 

/etc/init.d/inSyncMasterAll stop
  • Back up your original inSyncServerSSL.key file.
  • Copy the contents of private key to a new inSyncServerSSL.key file and place it at /etc/inSyncCloud/inSyncServer/inSyncServerSSL.keyThen append the contents of the signed certificate file to it as follows:


<Paste RSA Private Key here>



<Paste X.509 Server Certificate Here>


  •  Save the file and exit. 
  •  Start all the inSync services and check if the certificates have been loaded correctly.

Using Chained SSL Certificate in inSync Server

For enhanced security purposes, most end user certificates today are issued by intermediate certificate authorities. Installing an intermediate CA signed certificate on a inSync server usually requires installing a bundle of certificates. It must include the private key, server certificate, and intermediate certificate, if any. The certificate chain must be loaded in the inSyncServerSSL.key located at C:\ProgramData\Druva\inSyncCloud\inSyncServer4\ folder. Open a text editor (such as Notepad++) and paste the entire body of each certificate into one text file in the following order:

  1. The Private Key - your_domain_name.key 
  2. The Primary Certificate - your_domain_name.pem
  3. The Intermediate Certificate - YourCA.pem
  4. The Root Certificate - TrustedRoot.pem

Note: The above names are for reference purposes. The name of the key and certificate files may differ based on your CA.

Make sure to include the beginning and end tags on each certificate. The result must be in the following format.


<Paste RSA Private Key here>



<Paste your Primary SSL certificate:  your_domain_name.pem>



<Paste your Intermediate certificate here>



<Paste your Trusted Root CA certificate here>


  • Was this article helpful?