Certificate Format
The certificate and private keys provided for the Certificate Management feature have several requirements. Before installing a certificate and key, a verification process is run to confirm that these requirements are met.
| • | Certificates and private keys must be encoded in the PEM format. |
| • | Certificates and private keys must be compatible with OpenSSL and the Apache Web Server. |
| • | The certificate and key must match each other. |
| • | The Common Name of the certificate must match the Server Name provided in the configuration. |
| • | The certificate must be a valid chain, containing the server certificate as well as any required signing certificates. |
| • | The certificate chain must be ordered in terms of the trust chain from leaf to root, or server certificate to the root certificate. |
First, certificates and keys must be provided in the text-based PEM encoding. This format uses the Base64 text encoding to represent the certificate or key data, and contains header and footer lines describing the type of data it contains. The header and footer lines should be included in the certificate and key data when entering them into the Certificate Management feature.
The RISC Networks Appliances use the Apache Web Server and the OpenSSL cryptographic framework to provide HTTPS services. Certificates and keys provided for the feature must be compatible with this software stack. For more advanced compatibility concerns, please consult the upstream documentation for these projects. Links are available at the bottom of this page.
The server certificate contains a "subject" line describing the identity of the server, including a Common Name (CN) that identifies its name. When accessing the web application, the name used to contact the server must match the Common Name of the certificate it presents. Otherwise, an warning is issued by the browser. The Server Name field defined in a custom certificate installation must match the Common Name of the server certificate, which should also match the DNS name used to initiate a connection to the appliance. If the Server Name field does not match the Common Name of the certificate, the verification process will produce an error and the installation will not proceed.
The Certificate Management feature does not accept the certificate trust chain as a separate file. The Certificate Chain provided when installing a custom certificate must contain all certificates participating in the trust chain. Typically, this constitutes the server certificate, one or more intermediate signing certificates, and a root Certificate Authority certificate. If your PKI infrastructure currently has the CA bundle separate from the server certificate, they can be concatenated together into a single file. The order of certificates in the chain must be ordered from leaf to root, meaning the server certificate is the first entry in the file, followed by any intermediate signing certificates, and finally the root certificate. If the chain is not ordered in this way, the verification process will fail, typically due to the Server Name not matching the Common Name of the certificate, and installation will not proceed.