Page tree
Skip to end of metadata
Go to start of metadata

Certificate Management

The Certificate Management page is for entering your SSL/TLS certificates and private key files. To access this page click on the Settings tab and select Certificate Management.

AsdeqServer accepts X509 v3 Certificates in the following formats:

  • PEM
  • PFX / p12

Note the preferred format is PFX / p12 as this format is effectively self contained.

https://en.wikipedia.org/wiki/PKCS_12


Note the preferred option is to Upload Certificate.

Create Certificate

This certificate will simply stop the devices from presenting the "Accept Certificate" pop-up before allowing the users to login. Web browsers will still prompt the certificate to be accepted before loading the site.

If you wish to continue to use the AsdeqServer certificate, then you can use the Create Certificate button. Enter details into the fields that appear at the bottom of the page, including the URL for the AsdeqServer site (not the IP) and your Company Name then click on the Create Certificate and Restart button. This will restart the service on the server and enable the use of a certificate that the AsdeqDocs app will recognize.

Access to AsdeqServer via web browsers will still present with a prompt to accept the certificate.  To remedy this you will need to Import a certificate.

Once you have imported a certificate, Creating a certificate will write a new certificate to the file system and reconfigure AsdeqServer. Your original certificate is preserved on disk, to reinstall it you will need to import it again.

Import certificate

To enter the details of your purchased certificate press the Import Certificate button. Enter the details of your certificate into the certificate and private key fields that appear at the bottom of the page, then click on Import Certificate and Restart button. This will restart the service on the server and enable the use of the certificate for your users devices. This certificate will be recognized by the AsdeqDocs app and web browsers.

Importing a certificate will create a new AsdeqServer keystore at ‘aes.home/ssl/keystore.p12’, using the specified keystore password if none exists. If a keystore already exists, the password specified must be the same keystore password used when creating the keystore file. The supplied private key and Certificate will be encrypted and stored in this file. 

The simpler approach is to upload the certificate.

Upload a certificate 

The AsdeqServer has the ability to accept an uploaded certificate in the Certificate Management screen.

To upload a certificate it must be in the PKCS#12 format with a file extension of .pfx or .p12. Note that pfx and p12 are almost identical interchangeable formats.

When uploading a Certificate the password specified must be the same password used when creating the keystore file, or the contents of the file can’t be decrypted by the AsdeqServer.

A certificate can be obtained in this format via a number of different ways usually from a Trusted Certificate Authority such as VeriSign after submitting a Certificate Signing request (See creating a CSR.)

To upload a Certificate:

  1. Logon to the AsdeqServer admin console.
  2. Click on the Settings tab and select Certificate Management.
  3. Select Upload Certificate.
  4. Click Choose File and select the .pfx or .p12 certificate file to upload.
  5. Enter the Keystore Password and Private Key Password (if required).
  6. Click the Upload and Restart button.
  7. The Certificate will be validated and if everything is correct the server will restart.

Certificate Upload

When generating a .pfx / .p12 Certificate File please ensure that it contains the following information:

  • Public Key
  • Private Key
  • Intermediary certificate chain

If the Private Key is not present then AsdeqServer cannot utilise the certificate file.

Recommendation way to Create a Certificate

Usually the simplest way to issue a certificate for AsdeqServer is follow the instructions provided by your Certificate Authority such that the certificate is imported into the Microsoft Management Console on a Windows Server.

  1. On a Windows server click Start > Run > type in MMC > double click on mmc.exe
  2. In the MMC, click File > Add or Remove Snap-in
  3. Select Certificates > Computer account > Local computer > and click Finish, then OK
  4. Locate the Certificate
  5. Double click on your certificate. Select the Certification Path tab. 
    • If the path/chain is complete back to your CSA then continue
    • If the path/chain to your CSA has errors or broken links, then you may need to import the intermediary certificates from your Certificate Authority to complete the chain. Usually this information should already be present.
  6. Once the path is complete to your CSA, right click on your certificate > All tasks > Export
  7. Click Next
  8. Select, "Yes, export the private key" then click Next
  9. "Personal Information Exchange - PKCS #12 (PFX)" should be selected
  10. Tick "Include all certificates in the certification path if possible", then click Next
  11. Give the exported certificate chain a password (you'll need this to import into AsdeqServer), then click Next
  12. Give the exported certificate a file name, then click Next > Finish > OK
  13. Use this newly exported file as the file to upload/import into AsdeqServer using the AsdeqServer admin web UI 

Alternatively if you have the Certificate file and its not already imported into the Windows MMC console you can do the following:

  1. On a Windows server click Start > Run > type in MMC > double click on mmc.exe
  2. In the MMC, click File > Add or Remove Snap-in
  3. Select Certificates > Computer account > Local computer > and click Finish, then OK
  4. Under Certificates (local computer), right click on Personal
  5. Under all tasks, select Import, then click Next
  6. Browse to your certificate file, then click Next 
  7. Type in the certificate password
  8. Make sure to select "Mark this key as exportable" and "Include all extended properties", before clicking Next > Next > Finish
  9. Repeat from step 5 above with your intermediary certificate
  10. Drill into Personal folder down to your certificate and double click on your certificate. Select the Certification Path tab. 
    • If the path/chain is complete back to your CSA then continue
    • If the path/chain to your CSA has errors or broken links, then remove the certificate and the intermediary, and import them in a different order. You may also have the incorrect intermediary certificate for your server type. As you are importing into the Windows MMC, try the IIS intermediary bundle.
  11. Once the path is complete to your CSA, right click on your certificate > All tasks > Export
  12. Click Next
  13. Select, "Yes, export the private key" then click Next
  14. "Personal Information Exchange - PKCS #12 (PFX)" should be selected
  15. Tick "Include all certificates in the certification path if possible", then click Next
  16. Give the exported certificate chain a password (you'll need this to import into AsdeqServer), then click Next
  17. Give the exported certificate a file name, then click Next > Finish > OK
  18. Use this newly exported file as the file to upload/import into AsdeqServer using the AsdeqServer admin web UI 

Service won't start after the certificate is added (removing a certificate)

To remove a certificate which has broken your AsdeqServer:

  1. Stop the AsdeqServer service 
  2. Go to the SSL directory in the data directory (for a default install this is C:\ProgramData\AES\aes.home\ssl) and rename the keystore file
  3. Restart the AsdeqServer service
  4. The AsdeqServer will automatically generate a self signed certificate upon start up
  5. Resolve the certificate issues and try again.

Convert the certificate

Some certificate's just do not work well with Java. A simple fix can be to convert the certificate then reimport it:

  1. On a windows server, start up MMC.exe
  2. Click on File, Add/Remove Snap-in
  3. Add the Certificates snap-in, and select Computer account, Local computer, when prompted
  4. Click on Actions, All tasks, Import...
  5. Import the certificate, selecting Allow exports, and recording the passwords used
  6. Once the certificate is imported, right click on the certificate and select All tasks, Export...
  7. Export as a PFX and tick Include all certificates in the certificate path is possible. Again, record any passwords you use
  8. Import/Upload the new certificate into AsdeqServer through the admin UI

Generating a Certificate Signing request (CSR)

To enable the ordering of an SSL certificate you will need to generate a CSR. Follow these instruction for creating a CSR.  The return format of new Certificate is dependent on the Certificate Authority used.

 

  • No labels