Signing the Certificate Using a CA

Use the Certificate Signing tab to generate a signing request for the current certificate used by the appliance.

After the CA signs the request, use this tab to import the CA root certificate and the signed certificate.

You must first complete the LogLogic Signed Certificate tab. This procedure uses information from that tab, as well as the appliance private key it activates.

If your organization's PKI policies dictate the use of one or more intermediate certificate authorities, an additional step is required to ensure that LogLogic LMI can properly verify the entire certificate trust chain.

The simplest configuration involves the LogLogic LMI certificate and a root certificate. In such a scenario, the root certificate is not just the root CA, but also the signing CA. This distinction is important when determining the sequence in which to paste the certificates.

  • When using multiple CA certificates, consider the Root Certificate text box as a field that is used for the Issuing Certificate, and then all other CA certificates will be added in the same box (see step 5b).
  • In situations involving a single CA certificate that serves as both the root and issuing CA, the intermediate CA is the signing CA and the root is still the root CA (see step 5a). There can be any number of intermediate CAs. The exact situation depends on your organization's policies.
    Note: Some certificate authority software do not provide all the necessary files when returning your signed certificate, and some do not require any intermediate certificates. However, LogLogic LMI does require them if they are used in the certificate signing process. Therefore, if you do not know how many CA certificates to expect to be given when your signed host certificate is returned to you, then please verify with your organization's PKI administrators whether your organization uses multiple CA certificates. There is no limit to the quantity of intermediate certificates that LogLogic LMI can use.
    Note: By default the GUI generates CSRs with keys that are 2048 bit in size.

Procedure

  1. Click Administration > SSL Certificate > Certificate Signing.
  2. Click Generate.

    A certificate signing request (CSR) from LogLogic is generated based on the information in the LogLogic Signed Certificate tab. The certreq.csr dialog appears.

  3. Open the .csr file.
  4. Copy the text from the .csr file to the website of your trusted CA. The CA returns a root and reply certificate.
    Note: Generating a root and reply certificate from the CA might take time.
  5. Perform any one of the following:
    1. If your organization uses a single CA certificate that serves as both the root and issuing CA, paste the text from the root certificate of the CA into the Root Certificate text box. Then proceed to step 6.
    2. If your organization uses multiple CA certificates, perform the following steps:
    • Paste in the certificate that was given to you by your PKI system that was used to sign the LogLogic LMI appliance's certificate.
    • Paste in the contents of each CA certificate in reverse order of the certificate chain, so that the top root CA certificate is pasted as the last certificate.
      Warning: If the order is random, backwards, or incorrect in some way, the certificates will not work correctly after the LogLogic LMI web server is restarted.

      For example, if you have the following certificates with Common Names (CN= values) of toprootCA, interCA, signingCA, and myLMI, and with the certificates in that sequence within the trust chain, then they must be pasted into the Root Certificate text box using the following bottom up order:

      1. signingCA.cer
      2. interCA.cer
      3. toprootCA.cer

      The myLMI certificate will be pasted into the separate Reply Certificate text box during step 6.

      If you are unsure which sequence the CA certificates exist in the chain, contact your organization's PKI administrator ,or follow the certificate chain by looking at the Issued By and Issued To fields for each certificate. The first certificate pasted into the Root Certificate text box must be the one that signed the LogLogic LMI appliance's certificate. The last certificate that is pasted in the Root Certificate text box must be the top-level root CA certificate.

      Warning:
      • Do not separate the certificate contents with blank lines.
      • Make sure that the contents of each certificate start on a new line.
  6. Paste the text from the root certificate of the CA into the Root Certificate text box.
  7. Paste the text from the CA-generated certificate into the Reply Certificate text box.
  8. Click Import to import the certificate.

Result

Tomcat automatically restarts to apply the changes.