SSL Certificates

Menu path: Configuration > System Configuration > SSL Certificates.

The SSL Certificate pages manage the SSL certificates installed on A3 both for web (HTTP) and RADIUS communication. Initial self-signed certificates are generated during A3 installation, but good practice requires that certificates signed by a known, trusted certificate authority be requested and installed. Unique public and private keys are also generated at installation time.

• Any changes to either SSL Certificates page requires a restart of the radiusd service in the Status > Services page.

Note

When advised to restart any A3 service, the administrative interface for each cluster member must be used individually to perform the operation. Perform the operation on each member one at a time, waiting for the service(s) to completely restart.

A3 includes facilities for requesting such certificates.

Two pages are used:

• HTTP
• RADIUS

The HTTP page displays the contents of the currently installed certificate. Initially, this should display identical values for the issuer and subject fields:

indicating a self-signed certificate for the localhost.

The button opens a new dialog described in Generate Signing Request.

The button provides access to install and select certificates on the Edit Certificates page.

RADIUS

The RADIUS page displays the contents of the currently installed certificate. Initially, this should display identical values for the issuer and subject fields:

indicating a self-signed certificate for the localhost.

The button opens a new dialog described in Generate Signing Request.

The button provides access to install and select certificates on the Edit Certificates page.

Edit Certificates

There are two sets of fields used to edit certificates: with and without Use Let's Encrypt enabled.

Let's Encrypt Enabled

Obtaining a certificate with Let's Encrypt is straightforward, but requires some network pre-configuration:

1. The value of the common name (e.g. a3.company.com) must resolve to a publicly accessible address.
2. The A3 server must be accessible at that hostname.
3. The HTTP protocol (port 80) must be enabled to the A3 server via firewall rules.

Let's Encrypt Enabled

With Use Let's Encrypt enabled, the two fields available are:

Field	Usage	Example
Common Name	The name of the server for which a certificate will be generated.	a3.company.com
	When this button is pushed, the conditions discussed above are tested and, if the test succeeds, a certificate is issued and installed.

Let's Encrypt Disabled

Field	Usage	Example
Certificate	The current certificate contents. The certificate can be replaced through cut and paste.
	Select to choose a certificate file from your local computer's file system.
Certification Authority Certificates	The current set of certificate authorities. The certificate can be replaced through cut and paste. Multiple concatenated certificates are supported.
	Select to choose the certificate authority file from your local computer's file system. Multiple concatenated certificates are supported.
Private Key	The contents of your private key. The private key can be replaced through cut and paste.
Choose Private Key	Select to choose the key file from your local computer's file system.
Validate Certificate Chain	If enabled, the certificate chain of the installed certificate will be validated.
Find Intermediate CA Certificates Automatically	If enabled, the intermediate certificate authority certificates will be automatically identified.
Intermediate CA certificate(s)
	Select to choose a certificate authority certificate from your local computer's file system to add to the list of intermediate CA certificates.
	Select to choose from the list of intermediate CA certificates.

Generate Signing Request

The generate CSR page is the same for HTTP and RADIUS certificates. Five fields are present to define the request:

After filling in the fields, the button will generate and display the CSR is ASCII format. This text should be copied to the computer's clipboard using the button. That text should be used in conjunction with a certificate authority's web site to request the SSL certificate. That certificate will be returned by email or some other means and can be installed with the HTTP or RADIUSEdit Certificates functions.