Replacing the Apache certificate with a CA-signed certificate
For the Apache certificate, there is no need to load the CA certificate chain. Only the end entity certificate and private key are necessary. The Apache certificate should have standard web server extensions (SSL Server, TLS Web Server Auth, etc.). If it does not have these, the web browser’s certificate verification process may fail.
To replace the Apache certificate with a CA-signed certificate,
-
Go to the Administration > Appliance Security > Encryption Key Management page Local Credentials tab of this appliance.
-
In the row for the Apache SSL Certificate, choose Change Key/Cert from the Actions menu.
-
Paste both the Apache certificate and the private key into the Key/Cert field.
-
Click OK and confirm that the Apache certificate is listed on the Local Credentials tab.
Note: Ensure that you include both the private key and the certificate with their BEGIN and END statements. If you paste in just the certificate, you will get a certification error.
They will be in the format:
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7CkgI/yEMu0td
...
6Q1V08AwLd4fVrOGvmOeZKk=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIJAPy15+KVLMaXMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNV
...
xnRRtSStpDwBRwrPBX9wiih7X13I2n2Qs/c0Gh9OVhKqsmcoZmnHjCQrdQ==
-----END CERTIFICATE-----
If you subsequently view the Local Credentials, you will not see the private key. It is never visible except when you initially paste it into the Change window.
-
Restart your web browser before logging back in to the appliance. Advise all other users that are connected to the web user interface of this appliance to restart their browsers to avoid browser errors.