Follow these instructions to change the server key and certificate generated during installation in ExtremeCloud IQ Site Engine. While these provide secure communication, you can update to a certificate provided from an external certificate authority, or add certificates in order to meet the requirements of external components with which ExtremeCloud IQ Site Engine must communicate. You can also use a "browser-friendly" certificate so that users don't see browser certificate warnings when they access web pages.
You need a server private key and server certificate to perform the certificate replacement.
Some instructions in this Help topic use OpenSSL software to perform certain tasks. OpenSSL is available on the ExtremeCloud IQ Site Engine engine or can be downloaded from http://www.openssl.org. After downloading and installing OpenSSL, add the OpenSSL tool to your path using the instructions in Add OpenSSL to Your Path in the Secure Communication Help topic. Other software tools can be used to perform these tasks, if desired.
Instructions on:
- Certificate Requirements
- Replacing the Certificate
- Verifying the Certificate
- Generating a Server Private Key and Server Certificate
Certificate Requirements
Generate the server certificate using the RSA or DSA server private key (in PKCS #8 format). For "browser-friendly" certificates, the server certificate should identify the ExtremeCloud IQ Site Engine server by its fully qualified host name.
| NOTE: |
Elliptical Curve (EC) and ED25519 private key formats are not supported. |
|---|
If your certificate authority (CA) provides additional intermediate certificates, provide those as well. Use the intermediate certificates in whatever format the CA provides them: in individual files, in a bundle file, or in the same file as the server certificate. ExtremeCloud IQ Site Engine also accepts PKCS#12 keystore files, which can contain both a private key and certificates. Enter the PKCCS#12 file here.
| NOTE: | Use the following OpenSSL command where <server.key> is the original non‑PKCS #8 formatted key file to convert your key file to a PKCS #8 format. (OpenSSL is available on ExtremeCloud IQ Site Engine and ExtremeControl engines. The server.key file can be copied and converted on either engine.) openssl pkcs8 -topk8 -in <server.key> -out server-pkcs8.key -nocrypt |
Replacing the Certificate
The following steps assume you generated a replacement server private key and server certificate.
| NOTE: | Whenever the ExtremeCloud IQ Site Engine server certificate is changed, other ExtremeCloud IQ Site Engine components can be affected by the change and stop trusting the server. ExtremeCloud IQ Site Engine clients and other servers must be configured to handle updated certificates using the client certificate trust mode and server certificate trust mode settings. Before updating the ExtremeCloud IQ Site Engine server certificate, be sure that the client and server trust modes are configured to trust the new certificate. For more information, see Update Client Certificate Trust Mode window and Update Server Certificate Trust Mode window. |
|---|
To replace the server private key and server certificate:
- Access the Administration > Certificates tab.
- Select the Update Server Certificate button. The Update Server Certificate window opens.
- Drag and drop a private key, certificate file, or a keystore file. Select in the box to browse for the file.
A private key file must be encoded as a PKCS #8 file.
Use a certificate file as the server certificate and any intermediate or chained certificates.
Use a PKCS#12 keystore file to provide the private key, or certificates, or both. - Select Use a password to access the private key if the private key is encrypted in the key file or the keystore file. Enter the password in the field.
- Select Use a password to access the PKCS#12 keystore if the keystore file is protected with a password. Enter the password in the field.
- Select OK.
A confirmation window listing your file information displays. - Confirm that the information you provided is correct.
- Select Yes to
proceed with the certificate replacement.
The private key and server certificate updates on the ExtremeCloud IQ Site Engine server. - Restart the ExtremeCloud IQ Site Engine server to deploy the new private key and server certificate.
Verifying the Certificate
When the new server certificate is installed and the server restarts, use one of the following methods to verify the server is now using the proper server certificate.
Use a Browser
- Access the ExtremeControl Dashboard web page at
https://<Server FQDN>:8443/Monitor/jsp/nac/dashboard.jsp.or the ExtremeCloud IQ Site Engine web page athttps://<Server FQDN>:8443/Monitor/jsp/reporting/reporting.jsp. - Verify no browser warnings display when you access the web page, if using a "browser-friendly" certificate.
- Use your browser to view the certificate
used:
- Internet Explorer 7.0 or later: Select the lock icon to the right of the URL address > View Certificates
- Microsoft Edge: Select the lock icon to the left of the URL address > Connection is secure > certificate icon
- Mozilla Firefox 3.5 or later: Select the lock icon to the left of the URL address > Connection Secure > More information > View Certificate
Use OpenSSL
- Use OpenSSL to test the server connection
with the following command:
openssl s_client -connect <Server IP>:8443 - The output from this program includes a section titled "Certificate
chain". This enumerates the certificates returned by the server.
For each certificate, the Subject and the Issuer are displayed. With multiple
certificates, if the certificates are in the proper order, the issuer of each
certificate matches the subject of the following certificate. Here is a sample output from the program:
- Terminate the program by pressing [Ctrl]+C.
Generating a Server Private Key and Server Certificate
Generate a server private key and server certificate using the instructions in the sections below.
| NOTE: | ExtremeCloud IQ Site Engine and ExtremeControl do not support the import of PKCS#8 private keys that are encoded with PKCS#5 v2.0 algorithms. Ensure you import PKCS#5 v1.5 or earlier algorithms. |
|---|
You need to:
- Generate a server private key:
- Enter the following command to use OpenSSL
to generate a password-encrypted PKCS #8 formatted server private key file. Use the
key size and output file name you prefer. (If you are unsure of the key size, use 2048.)
openssl genrsa <key_size> | openssl pkcs8 -v1 PBE-SHA1-RC4-128 -topk8 -out <file_name>.key
For example:openssl genrsa 2048 | openssl pkcs8 -v1 PBE-SHA1-RC4-128 -topk8 -out <file.key> - You are prompted for an Encryption Password. Be sure to make a
note of the password that you enter. If the password is lost, you need to
generate a new server private key and a new server certificate.
NOTE: If the private key was previously generated without the -v1format, convert the PKCS#5 v2.0 encoded key to PKCS#5 v1.5 format using the following command:openssl pkcs8 -v1 PBE-SHA1-RC4-128 -in <original_key_file> -topk8 -out <new_key_file>
- Enter the following command to use OpenSSL
to generate a password-encrypted PKCS #8 formatted server private key file. Use the
key size and output file name you prefer. (If you are unsure of the key size, use 2048.)
- Create a Certificate Signing Request:
- Enter the following command to generate a CSR file. Use the output
file name you used in step 1 above as the input file, and specify the output
file name you prefer:
openssl req -new -key <input file> -out <output file>
For example:openssl req -new -key server.key -out server.csr - You are prompted for information that displays in the certificate. When you are prompted for a
Common Name, specify the fully qualified host name of the ExtremeCloud IQ Site Engine server. For
example:
Common Name (eg, YOUR name) []:netsight1.mycompany.com
- Enter the following command to generate a CSR file. Use the output
file name you used in step 1 above as the input file, and specify the output
file name you prefer:
- Submit the request to a Certificate Authority or
generate a self-signed certificate.
The procedure for submitting a CSR to a Certificate Authority (CA) varies with the service used. Usually, it is done through a website using a commercial service such as VeriSign. You can also use an in-house CA, which generates certificates used internally by your enterprise. You provide information including the contents of the CSR, and receive back one or more files containing the server certificate and possibly other certificates to be used in a chain. - Verify the contents of the server certificate.
It is important to verify that the new server certificate contains the data you supplied when creating the CSR. In particular, make sure the Common Name (CN) is the fully qualified host name of the ExtremeCloud IQ Site Engine server.
Use OpenSSL to view the contents of the server certificate file server.crt using the following command:openssl x509 -in server.crt -text -noout
You can use the following steps regardless of whether you are using a commercial certificate authority or an in-house certificate authority.