Replacing the Self-Signed Certificate

By default, Anzo installations include a self-signed certificate. Follow the instructions below if you want to replace the default certificate with a trusted one. The steps guide you through using OpenSSL to generate an SSL certificate and signing request and then uploading the signed certificate to Anzo.

Generate an SSL Certificate and Signing Request

  1. If necessary, install OpenSSL.
  2. Create a request configuration file. For example, create a file called certificate.cnf. Then add the following contents to the file. These contents include parameters for creating a multi-domain certificate:
    # certificate.cnf
    
    [req]
    default_bits = 2048
    prompt = no
    default_md = rsa
    req_extensions = req_ext
    distinguished_name = dn
    
    [ dn ]
    C = <country>
    ST = <state>
    L = <locality>
    O = <organization-or-company-name>
    OU = <organizational-unit>
    emailAddress = <email-address>
    CN = <common-name-or-server-fqdm>
    
    [ req_ext ]
    subjectAltName = @alt_names
    
    [ alt_names ]
    DNS.1 = <domain1-name-or-ip>
    DNS.2 = <domain2-name-or-ip>
    DNS.3 = <domain3-name-or-ip> 
  3. Replace the placeholders in the file with the appropriate values. For example:
    # certificate.cnf
    
    [req]
    default_bits = 2048
    prompt = no
    default_md = rsa
    req_extensions = req_ext
    distinguished_name = dn
    
    [ dn ]
    C = US
    ST = MA
    L = Boston
    O = Cambridge Semantics
    OU = IT
    emailAddress = webmaster@cambridgesemantics.com
    CN = sample.cambridgesemantics.com
    
    [ req_ext ]
    subjectAltName = @alt_names
    
    [ alt_names ]
    DNS.1 = sample1.domain.com
    DNS.2 = 10.0.33.103
    DNS.3 = sample3.domain.com 
  4. Run the following command to generate the signing request and private key using the configuration file:
    openssl req -new -sha256 -nodes -out <csr_file_name>.csr -newkey rsa:2048 
    -keyout <key_name>.pem -config <config_file_name>.cnf

    For example:

    openssl req -new -sha256 -nodes -out anzo-csr.csr -newkey rsa:2048 
    -keyout anzo-key.pem -config certificate.cnf
  5. Send the resulting CSR to a certificate authority for signing.

Upload the Trusted Certificate to Anzo

  1. When you receive the signed certificate from the certificate authority, rename the certificate to anzo-crt.crt.
  2. Then follow the steps below to create a PKCS12 key:
    1. Run the following command to concatenate the signed certificate and private key file that you generated into an anzo.pem file:
      cat <key_name>.pem anzo-crt.crt > anzo.pem

      For example:

      cat anzo-key.pem anzo-crt.crt > anzo.pem
    2. Run the following command to convert the resulting anzo.pem file to PKCS12, choose a name for the certificate, and set an export password:
      openssl pkcs12 -export -in anzo.pem -out anzo.pkcs12 -name "<destination_alias>"

      If you have installed OpenSSL version 3 or later, include the --legacy flag in the command (shown below):

      openssl pkcs12 -export -in anzo.pem -out anzo.pkcs12 -name "<destination_alias>" --legacy
      Enter Export Password:
      Verifying - Enter Export Password:
  3. Copy the anzo.pkcs12 certificate to your computer if necessary.
  4. In the Administration application, expand the Servers menu and click Server Certificates. Anzo displays the Server Certificates screen. For example:

  5. Click Upload Server Key. Anzo displays the Upload Server Key dialog box.

  6. Supply the required values:
    • In the Destination Alias field, specify the destination alias that you chose when you created the PKCS12 certificate.
    • In the Password field, specify the Export Password that you set when you created the PKCS12 certificate.
    • Click the Choose File button and select the anzo.pkcs12 file.
    • Click the Keystore type field and select PKCS12 from the drop-down list.
  7. Click Upload to upload the certificate.
  8. Finally, follow these steps to apply the new certificate to the Anzo server SSL ports:
    1. In the Servers menu, click Server Settings.
    2. On the Server Settings screen, expand Ports and click Edit. For example:

    3. Click the Certificates drop-down list for each of the enabled SSL ports and select the new certificate. Then click Save.
  9. Restart Anzo to apply the configuration change.