The menu item SSL displays the certificate which is used for SSL access to the GINA - and/or the administration interface. This certificate is also used for TLS encryption to other systems.
Sections on this page:
•PKCS12 One-Time-Only Download
|
SSL is a machine-related setting. This means that the certificate used here is not synchronised in the Cluster. If applicable, depending on the requirement and infrastructure (in particular, please refer to TLS Settings TLS setting "secure") - a separate certificate is to be used or the same certificate is to be imported on each cluster partner. |
One exception is when using the option Use virtual hosting from the section Settings of the menu GINA Domains, since a separate certificate is to be integrated for each GINA domain here.
If a certificate is already included, it is displayed as follows.
Otherwise, the button Request or create a certificate... can be used to create a self-signed (or locally signed) SSL certificate or a certificate signing request (CSR).
The button Import existing certificate... can be used to import an already existing SSL certificate.
If the top of the status bar of the menu displays the information Remember to import the signed certificate, only the button Continue certificate signing request... is displayed. This button is used to continue or complete the obtainment of a certificate started by means of Request or create a certificate... via CSR.
|
SSL server certificates must have both digital signature and key encryption as key usage as well as server authentication under extended usage. Wildcard certificates are also permitted, for example *.firma.tld. "*.firma.tld". Here, it is to be noted that this type of certificate makes the TLS setting "secure" (see ) impossible! If TLS-secure is not required, the same certificate can also be used in the Cluster. Subject Alternative Name (SAN) certificates (also called multi domain certificates) are also supported.
The root certificate and any associated intermediate certificates should be available under X.509 Root Certificates and classified as trustworthy. This does not replace the import of the intermediate certificates (see also warning under ). |
|
In the event of an error, the machine certificate must not be used. This can lead to problems accessing the configuration interface. For this reason, before making any changes in this menu, the HTTP port should be temporarily released for access to the administration interface via System Advanced view Admin GUI HTTP port (http://<Appliance>:8080). |
This section displays information about the owner of the SSL certificate.
Depending on the certificate, not all parameters listed here must be given.
Parameters |
Description |
|---|---|
Generally, this field contains the domain name via which the GINA portal can be reached, e.g. "securemail.mycompany.tld". If a wildcard certificate is used, the domain name would be "*.mycompany.tld". With self-signed certificates, for instance "mycompany.local" could be displayed here. IP addresses, such as "10.0.0.10" should generally be avoided in this location. |
|
Generally, the email address of the applicant or the administrator of the certificate or their department is entered. |
|
Organisational unit, such as a department name, e.g. "Accounting" |
|
Specifies the organisation for which the certificate was issued, for example "Company" |
|
Location, for example a town like "Neuenhof" or also a partial building like "Plant2" |
|
Federal state, canton, province or similar, for example "AG" for "Aargau" |
|
Country, for example "CH" for "Switzerland" |
|
Serial number of the certificate |
|
If the certificate is a so-called SAN or multi-domain certificate, the alternative applicant names can be seen here. |
This section displays information about the issuer of the SSL certificate (root certificate).
Depending on the issuer, not all parameters listed here have to be given.
Parameters |
Description |
|---|---|
Name of the issuing certification authority |
|
Generally, this is an email address for support enquiries to the issuer |
|
Specifies an organisational unit of the issuer |
|
Specifies the issuing organisation |
|
Indicates the location of the issuer |
|
Indicates a federal state, canton, province or similar where the issuer is located |
|
Specifies the country where the issuer is located |
|
Serial number of the certificate |
Shows the validity of the certificate.
Parameters |
Description |
|---|---|
Issue date of the SSL certificate |
|
Expiration date of the SSL certificate |
The fingerprint is the checksum (also hash or fingerprint) and is used to verify a certificate. At this point, the hash algorithm (for example MD5 SHA1 or SHA256) with which the checksum was formed as well as the calculated value are displayed. If several fingerprints of different algorithms are available, each one is output in a separate line.
Parameters |
Description |
|---|---|
Example of a SHA1 fingerprint: 48:2D:99:B1:64:C1:14:9C:B3:F2:C0:8D:FA:7F:40:9F:22:F5:11:F5 |
Section PKCS12 One-Time-Only Download
(new in 14.0.0)
The private key can be downloaded once directly after the certificate has been generated. This is no longer possible after refreshing the page.
Via Download certificate the SSL certificate (i.e. only the public key) can be downloaded in the PEN format.
If in the Cluster the same certificate is used for all cluster members, it can be distributed via the button Transfer to cluster members button to all members.
This transfer only works between backends (see Cluster Cluster members) or from the frontend (see Cluster Remote LDAP server) to the backend, but not from the backend to the frontend.
