*How to create website iProtect™ Certificate

How To Article | HTA-20220531-LG-03

iProtect Access / Security | How To Articles |

iProtect™ Certificate options

A certificate authority (CA) is an entity that signs digital certificates. Many websites need to let their customers know that the connection is secure, so they pay an internationally trusted CA (eg, VeriSign, DigiCert) to sign a certificate for their domain.

In some cases it may make more sense to act as your own CA.

iProtect™9.10.21 and latest ServicePack will make it possible to create and sign a server certificate towards an own intermediate/root certificate present on the server. The iProtect™ Root certificate must be installed on the client side to make a secure client-root certificate chain.

There are 3 certificate options in iProtect™:

  1. Create CSR certificate request

  2. Create certificate from own CA

  3. Create Self Signed certificate

Procedure 1:

Use the Serverbox to generate a CSR certificate request:

  • Select iProtect™ > Certificate > Configuration

  • Select ‘Create CSR certificate request’ from the option dropdown box.

  • Fill in the form with the information the external CA provides (usually the ICT-department).

  • Press the ‘Create’ button

  • Download the “CSR certificate request” via the Serverbox: iProtect™ > Certificate > Download

The CSR certificate request file has to be signed by the external CA, this will generate one or more certificate files.

Usually, the certificate file will contain a number of certificates:

  • The root CA certificate

  • Intermediate CA certificates

  • Certificate for the iProtect server

These certificates form the “chain of trust”. These certificates are packed into an archive which can be encoded in different formats: DER, base64 or P7B.

For iProtect all certificates should be packed into a .zip format, without subfolders. This zip file can be uploaded to the iProtect server via the Install certificate field. The iProtect will check the validity of the certificates and present an Activate button with which the use of this certificate is activated.

  • Select iProtect™ > Certificate > Configuration

  • Upload the .zip file by “Install certificate”

  • If the files are ok, an “Activate” button will be come available.

  • Click the “Activate” button

  • Be patient and wait for the red error message. This means Apache is restarted and the certificate is installed.

  • Reload (F5) your webpage to reread the certificate.

Procedure 2:

Use the Serverbox to generate an own-CA signed server certificate:

  • Select iProtect™ > Certificate > Configuration

  • Select ‘Create certificate from own CA’ from the option dropdown box.

  • Fill in the form.

    • For ‘Common Name’ be sure you choose the right domain-name or (virtual)IP address.

    • The Country code must be the two-letter country code.

    • The Subject Alternative Names (SAN) are mandatory for some browsers.

  • Press the ‘Create’ button

  • Be patient and wait for the red error message. This means Apache is restarted and the certificate is installed.

  • Reload (F5) your webpage to reread the certificate.

To make your server certificate valid and trusted, a certificate chain (Server, Intermediate and Root certificates) has to be present. Download the TKH-Security iProtect™ Root certificate and install it on the client-side PC:

  • Download the Root certificate via the Serverbox: iProtect™ > Certificate > Download

  • Press the ‘CA certificate’ button and download the tar-gzipped file.

  • Unpack this file (7zip, winrar etc.)

  • Install the ‘iprotect.root.cert.crt’ on your PC via your web browser. (Or click on the file so windows will open the right program)

  • Install it in the right store:

 

  • Restart your web browser to read in the certificate chain.

  • The connection to the iProtect™ server should now be secure (lock closed in web browser).

Procedure 3:

This is for legacy use only. Please use procedure 2 instead.