Using a Signed Certificate

Follow the instructions below if you want to replace the Anzo self-signed certificate with a signed certificate from a signing authority. The steps guide you through generating an SSL certificate using the OpenSSL utility, creating a signing request, and then uploading the signed certificate to Anzo.

Generating the SSL Certificate and Signing Request

  1. If necessary, install OpenSSL.
  2. Create a request configuration file. For example, create a file called certificate.cnf. Then add the following contents to the file. These contents include parameters for creating a multi-domain certificate:
    # certificate.cnf

[req]
default_bits = 2048
prompt = no
default_md = rsa
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = <country>
ST = <state>
L = <locality>
O = <organization-or-company-name>
OU = <organizational-unit>
emailAddress = <email-address>
CN = <common-name-or-server-fqdm>

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = <domain1-name-or-ip>
DNS.2 = <domain2-name-or-ip>
DNS.3 = <domain3-name-or-ip>

  3. Replace the placeholders in the file with the appropriate values. For example:

    # certificate.cnf

[req]
default_bits = 2048
prompt = no
default_md = rsa
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = US
ST = MA
L = Boston
O = Cambridge Semantics
OU = IT
emailAddress = webmaster@cambridgesemantics.com
CN = sample.cambridgesemantics.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = sample1.domain.com
DNS.2 = 10.0.33.103
DNS.3 = sample3.domain.com
  4. Run the following command to generate the signing request and private key using the configuration file:
    openssl req -new -sha256 -nodes -out <csr_file_name>.csr -newkey rsa:2048 
-keyout <key_name>.pem -config <config_file_name>.cnf

    For example:

    openssl req -new -sha256 -nodes -out anzo-csr.csr -newkey rsa:2048 
-keyout anzo-key.pem -config certificate.cnf
  5. Send the resulting CSR to a certificate authority for signing.

Uploading a Signed Certificate to Anzo

  1. When you receive the signed certificate from the certificate authority, rename the certificate to anzo-crt.crt.
  2. Create a PKCS12 key:
    1. Run the following command to concatenate the signed certificate and private key file that you generated into an anzo.pem file:
      cat <key_name>.pem anzo-crt.crt > anzo.pem

      For example:

      cat anzo-key.pem anzo-crt.crt > anzo.pem
    2. Run the following command to convert the resulting anzo.pem file to PKCS12, choose a name for the certificate, and set an export password:
      openssl pkcs12 -export -in anzo.pem -out anzo.pkcs12 -name "<alias>"
      Enter Export Password:
Verifying - Enter Export Password:
  3. Copy the anzo.pkcs12 certificate to your computer if necessary.
  4. In the Administration application, expand the Servers menu and click Server Certificates. Anzo displays the Server Certificates screen. For example:

  5. Click Upload Server Key. Anzo displays the Upload Server Key dialog box.

  6. Supply the required values:
    • In the Destination Alias field, specify the alias that you chose when you created the PKCS12 certificate.
    • In the Password field, specify the Export Password that you set when you created the PKCS12 certificate.
    • Click the Choose File button and select the anzo.pkcs12 file.
    • Click the Keystore type field and select PKCS12 from the drop-down list.
  7. Click Upload to upload the certificate.
  8. Finally, follow these steps to apply the new certificate to the Anzo server SSL ports:
    1. In the Servers menu, click Server Settings.
    2. On the Server Settings screen, expand Ports and click Edit. For example:

    3. Click the Certificates drop-down list for each of the enabled SSL ports and select the new certificate. Then click Save.
  9. Restart Anzo to apply the configuration change.
Related Topics