For secure, trusted access you must install an SSL server certificate on the Access Gateway server. The uploaded certificate file must have the following characteristics:
- The server certificate must be issued by a Certification Authority (CA) that is trusted by end users. For best results, use a commercial CA such as VeriSign, Thawte or GeoTrust.
- The certificate must be in Privacy Enhanced Mail (PEM) format, a text-based format that is a Base64 encoding of the binary Distinguished Encoding Rules (DER) format.
- The certificate file must include a private key and the private key must not be encrypted. There should be no password required to use the PEM file.
- Any necessary intermediate certificates must also be appended to the end of the PEM file.
If you have requested and installed a certificate onto a Windows server using the Internet Information Service (IIS) certificate wizard, you can export that certificate with its private key to a Personal Information Exchange (PFX) file. To import this certificate onto the Access Gateway, you must convert the PFX file to the unencrypted PEM format.
You can use the open-source utility OpenSSL to perform the conversion from PFX to PEM. You can download a Win32 distribution of OpenSSL here:
You might also need C++ re-distributable files if you want to use OpenSSL which can be obtained at the following URL: http://www.microsoft.com/downloads/details.aspx?FamilyID=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF&displaylang=en
To convert a PFX file to a PEM file, follow these steps on a Windows machine:
- Create a folder c:\certs and copy the file yourcert.pfx into the c:\certs folder.
- Open a command prompt and change into the OpenSSL\bin directory:
- Type the following command to convert the PFX file to an unencrypted PEM file (all on one line):
openssl pkcs12 -in c:\certs\yourcert.pfx -out c:\certs\cag.pem –nodes
- When prompted for the import password, enter the password you used when exporting the certificate to a PFX file. You should receive a message that says MAC verified OK.
- Point a browser to the Access Gateway administration portal or HTTPS port 9001: https://access-gateway-server:9001.
- Log on as root. The default password is rootadmin.
- Click the Maintenance link at the top of the page.
- Click the Browse button next to the Upload Private Key + Certificate (.pem) field. Browse to the c:\certs\cag.pem file and click Upload.
- Restart the Access Gateway for the new SSL certificate to be applied.