Product edition: inSync Cloud
inSync uses a 256-bit, SSL v3 self-signed certificate in X.509 PEM format to encrypt transmission between the inSync server and client. It also uses the same certificate to encrypt transmission from inSync Web page. Since this certificate is self-signed, it is not trusted by web browsers. Users, therefore, get a warning prompting them not to visit the site if they do not trust it when a client browser (IE, Firefox etc..) tries to connect to inSync server.
To get rid of this warning, you have to provide a trusted SSL certificate from a Certification Authority (CA). The default SSL certificate for inSync is located at “C:\ProgramData\Druva\inSyncCloud\inSyncServer4\inSyncServerSSL.key”. It needs to be replaced by the SSL certificate that you get from a trusted CA like Thawte, Verisign, etc.
This article explains how you can generate and install an SSL Certificate obtained from a CA on inSync server. The steps involved in generating the SSL certificate are broadly classified as follows:
- Creating a CSR request
- Loading the SSL Certificate in inSync Server Web Restore Portal Using Chained SSL Certificate in inSync Server
- Generate Private key from the PFX certificate.
What is SSL?
The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers. The protocol uses a third party Certificate Authority (CA), to identify one end or both ends of the transactions.
To create an SSL certificate, you must first create two cryptographic keys - a Private Key and a Public Key. Your Private Key must be kept private and secure.
The Public Key does not need to be secret, and is placed into a Certificate Signing Request (CSR). The CSR request is sent to the Certification Authority, which validates your details and issues an SSL Certificate.
Your server matches the issued SSL certificate with your Private Key. If the certificate and Private Key match, you can establish an encrypted link between inSync server and Client.
You can use an open source tool such as OpenSSL, to create a CSR. The below section explains the steps required to generate a CSR using OpenSSL.
To generate CSR and Private Key using OpenSSL:
- Install OpenSSL.
Download the latest version of OpenSSL. For Windows, go to http://slproweb.com/products/Win32OpenSSL.html to download and install it. Druva recommends downloading - Win32 OpenSSL v1.1.0c (Size 30MB)
OpenSSL requires Visual C++ 2008 Redistributables which can be downloaded from the same website. If you do not run the above command (where is the command?) you get the following error:
WARNING: can’t open config file: /usr/local/ssl/openssl.cnf
- Generate a Pair of Private Key and Public Certificate Signing Request.
After installing OpenSSL, you can generate a Private Key and a Public CSR. To generate a pair of Private Key and Public CSR:
- Open a command prompt with administrator privileges.
- Navigate to C:\OpenSSL-Win32\bin> and run the following command.
openssl req -out server.csr -new -newkey rsa:2048 -nodes -keyout server.key
openssl rsa -in server.key -out myserver.key
This creates two files in C:\OpenSSL-Win32\bin\ directory: myserver.key and server.csr. The myserver.key file contains the private key. Carefully protect the private key and refrain from disclosing it to anyone.
- Backup the private key, as there is no means to recover it if it is lost.
The private key is used as input in the command to generate a Certificate Signing Request (CSR) file ‘server.csr’.
- Enter Details for CSR.
You now have to add details into your CSR. You need to provide Distinguished Name or a DN. For some fields, there will be a default value. If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]: GB
State or Province Name (full name) [Some-State]: Yorks
Locality Name (eg, city) : York
Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
Organizational Unit Name (eg, section) : IT
Common Name (eg, YOUR name) : mysubdomain.mydomain.com
Email Address :
- Use the name of the web server as the Common Name (CN).
- If the domain name is mydomain.com, append the domain to the host-name (use the fully qualified domain name, FQDN). The Common Name field should be the FQDN, or the web address for which you plan to use your Certificate. For example, the specific area of your site you wish clients to connect to using SSL. If the web address to be used for SSL is secure.druva.com, ensure that the common name submitted in the CSR is secure.druva.com.
- The fields for email address, optional company name and challenge password can be left blank for a server certificate.
Note: You can also use Microsoft IIS to generate a CSR and private key. See Using Microsoft IIS to Generate CSR and Private Key for detailed instructions.
The following steps help you in getting the SSL certificate from your CA.
- Online enrollment: On the CA website, you will be requested for CSR details. Open the ‘server.csr’ in a text editor and copy and paste the contents into the online enrollment form. The CA will verify your details, and issue your signed SSL certificate.
- Load the SSL certificate on the inSync server as directed below:
- Stop Druva inSync Config Server, Druva inSync Control Panel and Druva inSync Sync Server Services.
- Import the certificate in cert Manager and then export the certificate in PKCS format.
- From the certificate in the cert Manager, Export the Primary, Intermediate, and Root Certificate in X.509 format (64).
- Now open the Word Pad/Notepad++, Copy and save the content in a text editor and name the file “inSyncServerSSL.key” in following format:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Make sure there is no space between two certificates.
- Paste the inSyncServerSSL.key in C:\OpenSSL-Win32\bin folder to test the certificate by running following command and to verify if it is valid or not:
C:\OpenSSL-Win32\bin\ openssl s_server -cert inSyncServerSSL.key -www
The expected output is "Accept".
- Rename the existing inSyncServerSSL.key to inSyncServerSSL.key.old present in C:\ProgramData\Druva\inSyncCloud\inSyncServer4\ and paste the New inSyncServerSSL.key generated in Step iv.
- Start all the inSync services and check if the certificates have been loaded correctly.
Note: If you have a certificate in a PFX format and do not have a private key, you can generate the private key by following below steps from the PFX Certificate.
- Download the Open SSL from the URL: http://slproweb.com/products/Win32OpenSSL.html.
- Install the Open SSL.
- Navigate to C:\OpenSSL-Win32\bin> and run the command:
- Copy and paste the PFX file in C:\OpenSSL-Win32\bin folder and run following command:
openssl pkcs12 -in <filename.pfx> -nodes -nocerts -out key.pem
openssl rsa -in key.pem -out myserver.key
NOTE: myserver.key is your Private key.