Skip to main content

 

Druva Documentation

How to Install SSL Certificate from a Trusted CA

Summary

inSync uses a 256-bit, SSL v3 Self Signed certificate in X.509 PEM format for encrypting transmission between the inSync server and client. It also uses the certificate for the users inSync Web page. Since this certificate is self-signed, it is not trusted by web browsers. So, when a client browser (IE, Firefox etc..) connects, users get a warning prompting them not to visit the site if they do not trust it. 

To get rid of this warning, you have to provide a trusted certificate from a Certification Authority (CA). The default SSL certificate for inSync is located at “C:\inSyncServer4\inSyncServerSSL.key”. It needs to be replaced by the certificate that you get from a trusted CA like Thawte, Verisign, etc.

If you want to enable Secure access to the Admin Web panel we need to load the certificate to “C:\inSyncServer4\inSyncWebPanelSSL.key” file also. 

This article explains how you can generate and install an SSL Certificate obtained from a CA on the inSync server.

What is covered:

What is SSL?
Creating a CSR request
Loading the SSL Certificate in inSync Server Web Restore Portal
Using Chained SSL Certificate in inSync Server

What is SSL? 

The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers. The protocol uses a third party Certificate Authority (CA), to identify one end or both end of the transactions.  

To create an SSL certificate you first create two cryptographic keys - a Private Key and a Public Key. Your Private Key must remain private and secure.

The Public Key does not need to be secret, and is placed into a Certificate Signing Request (CSR). The CSR request is sent to the Certification Authority, who will validate your details and issue an SSL Certificate. Your server will match your issued SSL Certificate to your Private Key. If the certificate and Key matches we will then be able to establish an encrypted link between the server and the client client.

Creating a CSR request

We can use an open Source tool  OpenSSL, to create a CSR. The below section explains the steps required to generate an CSR using OpenSSL.

Using OpenSSL to Generate CSR and Private Key

The first step of enrolling for your SSL Certificate is to generate a Certificate Signing Request (CSR). A CSR is a file containing your certificate application information, including your Public Key. 

1. Install OpenSSL

You will be required to download the latest version of OpenSSL. For Windows, go to http://slproweb.com/products/Win32OpenSSL.html to download and install it. 

 Note: OpenSSL requires Visual C++ 2008 Redistributables which can be downloaded from the same website.

PS: If we dont run the above command you will get the following error: WARNING: can’t open config file: /usr/local/ssl/openssl.cnf 

2. Generate a Pair of Private Key and Public Certificate Signing Request

After installing OpenSSL, you can generate a  Private Key and a Public CSR. To generate a pair of Private Key and Public CSR:

A.  Open a command prompt with Administrator privileges , and navigate to C:\OpenSSL-Win32\bin> and run the following command: 

Set OPENSSL_CONF=c:\openssl-win32\bin\openssl.cfg 
openssl req -out server.csr -new -newkey rsa:2048 -nodes -keyout server.key 
openssl rsa -in server.key -out myserver.key

B. This creates two files in C:\OpenSSL-Win32\bin\ directory: myserver.key and server.csr.  The file ‘myserver.key’contains a private key, do not disclose this file to anyone. Carefully protect the private key. In particular, be sure to backup the private key, as there is no means to recover it should it be lost. 

The private key is used as input in the command to generate a Certificate Signing Request (CSR) file ‘server.csr’.

3. Enter Details for CSR

You will now be asked to enter details to be entered into your CSR.  What you are about to enter is what is called a Distinguished Name or a DN. For some fields, there will be a default value. If you enter '.', the field will be left blank.

Country Name (2 letter code) [AU]: GB
State or Province Name (full name) [Some-State]: Yorks
Locality Name (eg, city) []: York
Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
Organizational Unit Name (eg, section) []: IT
Common Name (eg, YOUR name) []: mysubdomain.mydomain.com
Email Address []:

Common Name


Use the name of the web server as the Common Name (CN). If the domain name is mydomain.com, append the domain to the host-name (use the fully qualified domain name, FQDN).The Common Name field should be the FQDN, or the web address for which you plan to use your Certificate, for example, the specific area of your site you wish clients to connect to using SSL. 

For example, an SSL Certificate issued for druva.com will not be valid for secure.druva.com. If the web address to be used for SSL is secure.druva.com, ensure that the common name submitted in the CSR is secure.druva.com.

The fields for email address, optional company name and challenge password can be left blank for a server certificate. 

Note: You can also use Microsoft IIS to generate a CSR and private key. Please refer to the below article for detailed instructions. 

Using Microsoft IIS to Generate CSR and Private Key 

Loading the SSL Certificate in inSync Server Web Restore Portal

The CSR and Private Key are now created. Now you need to get the SSL certificate from your CA.

1. Online Enrollment

On the CA website, you will be requested for CSR details. Open the ‘server.csr’ in a text editor and copy and paste the contents into the online enrollment form. The CA will verify your details, and issue your signed SSL certificate.

2. Loading the SSL certificate on the inSync Server. 

Once you get the signed certificate from your certifying authority, follow these steps to create a new inSyncServerSSL.key & inSyncWebPanelSSL.key file. 

a: Stop the Druva inSync Server, Druva inSync Server Control Panel &  Druva inSync Share Control Panel service.

b: Back up your original inSyncServerSSL.key & inSyncWebPanelSSL.key files

c: Copy the contents of private key from C:\OpenSSL-Win32\bin\myserver.key  to C:\inSyncServer4\inSyncServerSSL.key and append the contents of the signed certificate file to it as follows:  

-----BEGIN RSA PRIVATE KEY-----

<Paste RSA Private Key here>

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

<Paste X.509 Server Certificate Here>

-----END CERTIFICATE-----

           d. Save the file and exit. 

 e. Replace the content of inSyncWebPanelSSL.key with contents of inSyncServerSSL.key file to load the SSL certificate for Web panel access. 

 f. Start all the inSync services and check if the certificates have been loaded correctly. 

Using Chained SSL Certificate in inSync Server

For enhanced security purposes, most end user certificates today are issued by intermediate certificate authorities. Installing an intermediate CA signed certificate on a inSync server usually requires installing a bundle of certificates. It should include the private key, server certificate, and intermediate certificate, if any. The certificate chain is to be loaded in the inSyncServerSSL.key & inSyncWebPanelSSL.key folder located at C:\inSyncServer4 folder. Open a text editor (such as Notepad++) and paste the entire body of each certificate into one text file in the following order:

  1. The Private Key - your_domain_name.key 
  2. The Primary Certificate - your_domain_name.pem
  3. The Intermediate Certificate - YourCA.pem
  4. The Root Certificate - TrustedRoot.pem

Note: The above names are for reference purposes. The name of the key and certificate files may differ based on your CA.

Make sure to include the beginning and end tags on each certificate. The result should look like this:

-----BEGIN RSA PRIVATE KEY-----

<Paste RSA Private Key here>

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

<Paste your Primary SSL certificate:  your_domain_name.pem>

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<Paste your Intermediate certificate here>

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<Paste your Trusted Root CA certificate here>

-----END CERTIFICATE-----