Home > User Interface > Configuration > System Configuration > SSL Certificates
Logo

SSL Certificates

Menu path: Configuration > System Configuration > SSL Certificates.

The SSL Certificate pages manage the SSL certificates installed on A3 both for web (HTTP) and RADIUS communication. Initial self-signed certificates are generated during A3 installation, but good practice requires that certificates signed by a known, trusted certificate authority be requested and installed. Unique public and private keys are also generated at installation time.

Note

Note

When advised to restart any A3 service, the administrative interface for each cluster member must be used individually to perform the operation. Perform the operation on each member one at a time, waiting for the service(s) to completely restart.

A3 includes facilities for requesting such certificates.

Two pages are used:

HTTP

The HTTP page displays the contents of the currently installed certificate. Initially, this should display identical values for the issuer and subject fields:

C=US, ST=CA, L=AnyTown, O=XYZ Networks, CN=127.0.0.1, emailAddress=support@XYZ.com

indicating a self-signed certificate for the localhost.

The button opens a new dialog described in Generate Signing Request.

The button provides access to install and select certificates on the Edit Certificates page.

RADIUS

The RADIUS page displays the contents of the currently installed certificate. Initially, this should display identical values for the issuer and subject fields:

C=US, ST=CA, L=AnyTown, O=XYZ Networks, CN=127.0.0.1, emailAddress=support@XYZ.com

indicating a self-signed certificate for the localhost.

The button opens a new dialog described in Generate Signing Request.

The button provides access to install and select certificates on the Edit Certificates page.

Edit Certificates

There are two sets of fields used to edit certificates: with and without Use Let's Encrypt enabled.

Let's Encrypt Enabled

Obtaining a certificate with Let's Encrypt is straightforward, but requires some network pre-configuration:

  1. The value of the common name (e.g. a3.company.com) must resolve to a publicly accessible address.
  2. The A3 server must be accessible at that hostname.
  3. The HTTP protocol (port 80) must be enabled to the A3 server via firewall rules.

Let's Encrypt Enabled

With Use Let's Encrypt enabled, the two fields available are:

Field Usage Example
Common Name The name of the server for which a certificate will be generated. a3.company.com
When this button is pushed, the conditions discussed above are tested and, if the test succeeds, a certificate is issued and installed.  

Let's Encrypt Disabled

Field Usage Example
Certificate The current certificate contents. The certificate may be replaced through cut and paste.  
Click to choose a certificate file from your local computer's file system.  
Certification Authority Certificates The current set of certificate authorities. The certificate may be replaced through cut and paste. Multiple concatenated certificates are supported.
Click to choose the certificate authority file from your local computer's file system. Multiple concatenated certificates are supported.  
Private Key The contents of your private key. The private key may be replaced through cut and paste.  
Choose Private Key Select to choose the key file from your local computer's file system.  
Validate Certificate Chain If enabled, the certificate chain of the installed certificate will be validated.
Find Intermediate CA Certificates Automatically If enabled, the intermediate certificate authority certificates will be automatically identified.
Intermediate CA certificate(s)
Select to choose a certificate authority certificate from your local computer's file system to add to the list of intermediate CA certificates.  
Select to choose from the list of intermediate CA certificates.  

Generate Signing Request

The generate CSR page is the same for HTTP and RADIUS certificates. Five fields are present to define the request:

Field Usage Example
2-letter country code The two letter code for the country of the organization requesting the certificate. US
State The code for the state within the country. CA
Locality The city or other location of the organization. AnyTown
Organization Name The name of the organization. XYZ Networks
Common Name The hostname for the A3 server. a3.example.com

After filling in the fields, the button will generate and display the CSR is ASCII format. This text should be copied to the computer's clipboard using the button. That text should be used in conjunction with a certificate authority's web site to request the SSL certificate. That certificate will be returned by email or some other means and may be installed with the HTTP or RADIUSEdit Certificates functions.

Copyright © 2020 Extreme Networks. All rights reserved. Published December 2020.