Using a Signed Certificate for Anzo

This topic includes instructions for generating an SSL certificate using the OpenSSL utility, creating a signing request, and uploading the signed certificate to Anzo.

• Generating an SSL Certificate and Signing Request
• Uploading a Signed Certificate to Anzo

Generating an SSL Certificate and Signing Request

1. If necessary, install OpenSSL.
2. Run the following command to use OpenSSL to generate an RSA, 2048-bit public/private key pair called anzo-key.pem:

   openssl genrsa -out anzo-key.pem 2048

   Generating RSA private key, 2048 bit long modulus
   ...................................................+++
   .........+++

3. Run the following command to generate the Certificate Signing Request (CSR). This command creates a CSR called anzo-csr.csr for the public key in anzo-key.pem.

   openssl req -new -key anzo-key.pem -out anzo-csr.csr

4. OpenSSL prompts you to enter information to incorporate into the CSR. Provide the required information. For example:

   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [AU]:US
   State or Province Name (full name) [Some-State]:MA
   Locality Name (eg, city) []:Boston
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Cambridge Semantics
   Organizational Unit Name (eg, section) []:Solutions
   Common Name (e.g. server FQDN or YOUR name) []:sample.cambridgesemantics.com
   Email Address []:webmaster@cambridgesemantics.com
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:
   An optional company name []:

5. Send the resulting CSR to a certificate authority for signing.

Uploading a Signed Certificate to Anzo

1. When you receive the signed certificate from the certificate authority, rename the certificate to anzo-crt.crt.

2. Create a PKCS12 key:

   1. Run the following command to concatenate the signed certificate and key file into an anzo.pem file:

      cat anzo-key.pem anzo-crt.crt > anzo.pem

   2. Run the following command to use OpenSSL to convert the resulting anzo.pem file to PKCS12, choose a name for the certificate, and set an export password:

      openssl pkcs12 -export -in anzo.pem -out anzo.pkcs12 -name "alias"

      Enter Export Password:
      Verifying - Enter Export Password:

3. Copy the anzo.pkcs12 certificate to a server or location where you can select it using the Anzo console.
4. Log in to the Anzo console, expand the Administration menu item, and click Server Certificates.
5. On the Server Certificates screen, click Upload Server Key. Anzo displays the Upload Server Key dialog box.

   

6. Follow these steps to upload the key:
   1. In the Alias field, type that name that you chose when you created the PKCS12 certificate.
   2. In the Password field, type the export password that you set when you created the PKCS12 certificate.
   3. Click the Choose File button and select the anzo.pkcs12 file.
   4. Click the Keystore type field and select PKCS12 from the drop-down list.
   5. Click Upload to upload the certificate.
7. To apply the new certificate to the SSL ports for the Anzo server:
   1. In the Anzo console, click Server Settings under the Administration menu.
   2. On the left side of the screen, click Ports to navigate to the Ports section in the main screen. Then click the Edit icon () next to Ports. The settings become editable. For example:

      

   3. Select the new certificate from the Certificate drop-down lists. Then click Save.
8. Restart Anzo to complete the certificate configuration. You can restart the server by clicking the Restart button () at the top of the Server Settings screen.