FAS is installed with certificates signed by the installer CA which will not be trusted outside of the cluster. For typical production installations you will need certificates signed by well known CAs for:
- https for the main-loadbalancer-group
Note: This is not needed if you are SSL offloading at the Reverse Proxy and are satisfied to use unsecured http between Reverse Proxy and the cluster.
- sips for the main-loadbalancer-group
Required if you are receiving internal SIP calls over TLS
Note: To making internal SIP calls over TLS you will need to import external SIP entity certificates into your trust store. See the Managing Trust Certificates article.
Certificate import process
1) Generating Certificate Signing Requests
First you need to generate a Certificate Signing Request (CSR) to send to the third-party CA.
Do the following:
- In the Management Console, from the top-right menu select Profiles.
- From the Profile drop-down list, select the management profile.
- From the menu on the left, expand Subsystems > Trust Management and select ID Certificates.
- Select the identity certificate group that you want to work with. (e.g. main-loadbalancer-group)
- Select the certificate that you want to be signed in the list (e.g. https)
- Click Generate CSR, a pop-up window appears.
- Enter the security password.
- Optionally enter a challenge Password for revocation purposes.
- Enter the DN for the component that you are generating a certificate.
The Subject DN will already be pre-populated for https and sips e.g. CN=my.server.cafex.com, but you can change if you need to.
- Click generate, A dialog containing the CSR text is presented.
- Copy all of the displayed text, including the start and end tags, and paste it into a text editor, then save as a .csr file
- Close the dialog.
2) Generating CSR with multiple value fields.
Some CA require more information than just a CN field, they require add extra values such as O, OU, C etc.
You can add these to CSR by adding them on the Subject DN line, e.g.:
CN=*.cafex.com, OU=PremiumSSL Wildcard, O=CafeX Communications, STREET=1040 Avenue of the Americas, L=New York, ST=New York, OID.126.96.36.199=10018, C=US
3) Sending a certificate to the external CA for signing
The procedure for getting your certificate signed by a third-party CA depends upon the requirements of that CA. See the guidance from the CA.
4) Importing the signed certificate
When you receive the certificate back from the CA you must then import it into the right identity certificate group and named listing, from which the CSR was generated.
- The certificate you import needs to contain the complete certificate chain from your server down to the root certificate. Some CAs provide the certificate chain in multiple separate files. If this is the case, these will be need to be concatenated into one file without empty lines in it before importing.
- From the page you generated your CSR from select the identity certificate group that you want to import into.
- Select the named certificate entry that you requested the CSR for, e.g. sips or https.
- Click Import, a dialog will appear.
- Enter the security password for the named certificate.
- Open the certificate in a text editor, and copy all of the contents, including the start and end tags.
- In the Encoded Certificate field, paste the certificate text.
- Click Import.
The Console is updated to reflect the new certificate details, such as the issuer DN and the expiry date.
The updated identity certificate group directory is then copied to each Application Server or Load Balancer in the Server Group.
- Restart each server for the changes to take effect.