Configuring SSL and a Secure Inner Channel : Configuring SSL main settings : Modifying SSL server certificate settings
  
Modifying SSL server certificate settings
After initial SSL server configuration, you can modify server certificate settings in the Optimization > SSL Main Settings page. You can remove a server certificate, view the server certificate details, change the server certificate and private key, export a certificate, or generate a CSR.
Replacing an expired or an about-to-expire SSL certificate depends on the type of certificate you want to replace:
- Peer certificate—For details, go to Knowledge Base article S17054.
- Root CA certificate—For details, go to Knowledge Base article S30418.
- Proxy certificate—For details, go to Knowledge Base article S34687.
For details about initial SSL server configuration, see Configuring SSL main settings.
After initial configuration, you might need to generate a Certificate Signing Request and import a Certificate Authority-signed certificate before activating the SSL server for optimization.
Removing or changing an SSL server certificate
This section describes how to remove or change an existing SSL server certificate.
To remove a server certificate
1. Choose Optimization > SSL: SSL Main Settings to display the SSL Main Settings page.
2. Under Bypassed SSL Servers, select the certificate name you want to remove and click Remove Selected.
To change an SSL server certificate
1. Choose Optimization > SSL: SSL Main Settings to display the SSL Main Settings page.
2. Under SSL Server Certificates, select the certificate name.
3. Click Modify.
4. Complete the configuration as described in this table.
Control
Description
Rename Certificate
Displays the controls to rename the certificate.
Name—Specify the new certificate name.
Change—Changes the certificate name.
Import Existing Private Key and CA-Signed Public Certificate (One File in PEM or PKCS12 formats)
Select this option if the existing private key and CA-signed certificate are located in one file. The page expands displaying Private Key and CA-Signed Public Certificate controls for browsing to the key and certificate files or a text box for copying and pasting the key and certificate.
The private key is required regardless of whether you are adding or updating.
Local File—Browse to the local file.
Text—Paste the content of the file.
Decryption Password—Specify the password used to decrypt, if necessary.
Change—Changes the settings.
Import Existing Private Keys and CA-Signed Public Certificate (Two Files in PEM or DER formats)
 
Select this option if the existing private key and CA-signed certificate are located in two files. The page expands displaying Private Key and CA-Signed Public Certificate controls for browsing to the key and certificate files or text boxes for copying and pasting the keys and certificates.
A private key is optional for existing server configurations.
Private Key
 
Private Key Local File—Browse to the local file containing the private key.
Private Key Text—Paste the private key text.
CA-Signed Public Certificate
Local File—Browse to the local file.
Cert Text—Paste the content of the certificate text file.
Decryption Password—Specify the password used to decrypt, if necessary.
Change—Changes the settings.
Generate New Private Key and Self-Signed Public Certificate
Select this option to generate a new private key and self-signed public certificate.
Cipher Bits—Select the key length from the drop-down list. The default value is 2048.
Common Name—Specify the domain name of the server.
Organization Name—Specify the organization name (for example, the company).
Organization Unit Name—Specify the organization unit name (for example, the section or department).
Locality—Specify the city.
State (no abbreviations)—Specify the state.
Country (2-letter code)—Specify the country (2-letter code only).
Email Address—Specify the email address of the contact person.
Validity Period (Days)—Specify how many days the certificate is valid.
Change—Changes the settings.
Exporting an SSL server certificate
This section describes how to export an existing certificate for an SSL server. For details about making SSL server certificates nonexportable, see Preventing the export of SSL server certificates and private keys.
To export an SSL server certificate
1. Choose Optimization > SSL: SSL Main Settings to display the SSL Main Settings page.
2. Under SSL Server Certificates, select the certificate name.
3. To export an existing certificate, click Export and complete the configuration as described in this table. This option is unavailable if global exporting of SSL server certificates and private keys is disabled from the SSL Main Settings page.
Control
Description
Include Private Key
Includes the private key in the export.
Password/Password Confirm
Specify and confirm the encrypted password if you are including the private key (required if including the key). The password must be at least four characters.
Export
Exports the SteelHead peering certificate and key.
4. Click Apply to save your settings to the running configuration.
5. Click Save to Disk to save your settings permanently.
Generating a CSR
This section describes how to generate a Certificate Signing Request (CSR) for an existing SSL server off the current private key.
To generate a CSR
1. Choose Optimization > SSL: SSL Main Settings to display the SSL Main Settings page.
2. Under SSL Server Certificates, select the certificate name.
3. Click Generate CSR and complete the configuration as described in this table.
Control
Description
Common Name (required)
Specify the common name (hostname) of the peer.
Organization Name
Specify the organization name (for example, the company).
Organization Unit Name
Specify the organization unit name (for example, the section or department).
Locality
Specify the city.
State
Specify the state. Do not abbreviate.
Country (2-letter code)
Specify the country (2-letter code only).
Email Address
Specify the email address of the contact person.
Generate CSR
Generates the Certificate Signing Request.
4. Click Save to Disk to save the settings permanently.
Adding a chain certificate
This section describes how to add or remove a chain certificate for an existing SSL server.
To add a chain certificate
1. Choose Optimization > SSL: SSL Main Settings to display the SSL Main Settings page.
2. Under SSL Server Certificates, select the certificate name.
3. Click Chain and complete the configuration as described in this table.
Control
Description
Add a New Chain Certificate
Displays the controls to add a chain certificate.
Use Existing CA
Select to use an existing certificate authority, and then select the certificate authority from the drop-down list.
Use New Certificate(s) PEM or DER formats
Select to use a new certificate.
Optional Local Name
Optionally, specify a local name for the certificate.
Local File
Browse to the local file.
Cert Text
Paste the contents of the certificate text file into the text box.
Add
Adds the chain certificate to the chain certificate list.
Remove Selected
Select the check box next to the name and click Remove Selected.
4. Click Save to Disk to save the settings permanently.
Related topics
Configuring in-path rules
Enabling peering and configuring peering rules
Configuring HTTP optimization
Secure inner channel overview
Unlocking the secure vault
Viewing SSL reports
Generating system dumps