Skip to main content

Key and Certificate Deployment to Zentera Appliances - zCenter or ZNS

  • Updated

Introduction

Zentera zCenter and ZNS are appliances that deliver secure services via web technology. This Application Note describes how to deploy a new SSL key and certificate onto Zentera appliances. A private key and a server certificate signed by a public Certificate Authority (CA) are used to access the appliances via HTTPS/TLS protocols.

 

Document Scope

This document describes steps on how to use Zentera provided Command Line Interface (zCLI) to deploy the key and certificate. It also provides guidelines on how to acquire or request a cert from a public CA or an internal department.

 

Requirements

The key and certificate can be deployed via zCLI, the Command Line Interface.

 

The requirements for the deployment are

  1. Ability to connect to Zentera appliance using SSH, KVM connection, or physically connected console (hardware appliance only)

  2. Network connection from Zentera appliance to location where key and certificate are located via port 22 for scp or general HTTP/HTTPS

  3. Key and certificate in PEM format that meet enterprise's security standards

 

Guideline to Generate Key and Acquire Certificate

There are many ways of generating key and acquiring certificate to be used on a given server for server authentication purpose. Many organizations have their own procedures and requirements. Below is a guideline to generate a set of key and certificate for a service named cloud.zentera.net as an example.

1. Determine the service name, using cloud.zentera.net as an example

In this case, zCenter admin will use https://cloud.zentera.net/zcenter to access the portal.

 

2. Generate a private key

Use openssl command on a Linux host to create a key without a pass phrase:

$ openssl genrsa -out new.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................+++
........................................................................................+++
e is 65537 (0x10001)
$

 

To create a key with a pass phrase:

$ openssl genrsa -des3 -out new_p.key 2048
...
Enter pass phrase for new_p.key:********
Verifying - Enter pass phrase for new_p.key:********
$

 

3. Create a Certificate Signing Request (CSR)

$ openssl req -new -key new.key -out new.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:CA
Locality Name (eg, city) [Default City]:San Jose
Organization Name (eg, company) [Default Company Ltd]:Zentera Systems Inc
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:cloud.zentera.net
Email Address []:alexjen@zentera.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:*********
An optional company name []:*********
$

 

To avoid creating a challenge password, simply enter a period "." Below is an example of a CSR in a plain text editor. Notice that the content has "BEGIN CERTIFICATE REQUEST" line at the top and "END CERTIFICATE REQUEST" line at the bottom.

-----BEGIN CERTIFICATE REQUEST-----
MIIC3jCCAcYCAQAwgZgxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTERMA8GA1UE
BwwIU2FuIEpvc2UxHDAaBgNVBAoME1plbnRlcmEgU3lzdGVtcyBJbmMxCzAJBgNV
BAsMAklUMRowGAYDVQQDDBFjbG91ZC56ZW50ZXJhLm5ldDEiMCAGCSqGSIb3DQEJ
ARYTYWxleGplbkB6ZW50ZXJhLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANsi4fEB/sMzzKIRbdGm6pjkP36DaQBwksErVIFrQ2c/jf8+ps8EP0Zn
78hVd3/Oq5C+kCB6yZb9EeyWBDcXX7rRT7DCHiQsyC4XEv6jUc8vJrv/eZ18Yzxl
7Cyz+4rsh7JAD+6/kqIfodshVTErDEWTW8oC/njnT/uiNY9PYeY2lRBtofsxqTBK
OnV3lunRznFhtj5uie90n9wvgEfSvGa+8GnLPvbP+6ERW4WRRkt/ORtQNZQMpyCJ
kCM5AuGrnJfojjLcbuIrU2hBBDtFghl46BAkigXOycm/Qij1pYNQ1BUOYfyKt9Ni
NJnHMG8WD/d0inn4Fqa1jz0/rD8hVKsCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IB
AQAQvOv0ZvfjoyX81PwlhuwfluBmZvSW//YIU0yAX3jAYmnDhYG+PZE11Zdi3/5B
fgNfMQyyAGLUiFviFHBj8CMP3LURJNQeAvfzRaC+/9hoHqgu2nPY64v59AwwynWX
hnHIe160wxZQ9ZBPHRGCgRPhbsBhWeqlrA5wvddP9XgABpimivlbvaNMb7ZKB0Ar
6Fw1kXuM2npCRIfBlx7dDFAweMkyBxjKqg+8FtwXWY3G5scVLagsE5e/MgrM7q4I
Oas96aFU2YWYiJ5uM9Xr38to2PaNL5piFLtuhePiJcEMyhHw+isccwWxn35Dc/R8
WrNtTvD0TPkxbht7Y8G0p9em
-----END CERTIFICATE REQUEST-----

 

If the key was created with a pass phrase, the command will ask for it at the beginning of the process.

 

4. Request a cert in the CRT format from a public CA

Follow the procedure outlined by a public CA to submit the CSR generated in the previous step to request a server certificate in the CRT format.

 

For Microsoft CA's, follow their steps for each certificate request. At the step for submitting a certificate request by using a base-64-encoded CMC or PKCS #10 file, open the CSR in a plain text editor and copy/paste the whole content including

-----BEGIN CERTIFICATE REQUEST----- and
-----END CERTIFICATE REQUEST-----

To create one for own test instead of going through a public CA, follow the steps below:

$ openssl req -key new.key -new -days 365 -nodes -x509 -out new.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:CA
Locality Name (eg, city) [Default City]:San Jose
Organization Name (eg, company) [Default Company Ltd]:Zentera Systems Inc
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:cloud.zentera.net
Email Address []:alexjen@zentera.net
$

 

If the key was created with a pass phrase, the command will ask for it at the beginning of the process.

Depending on the type of certificate that you'd like to acquire, it may take less than an hour or more than a week for a CA to issue a certificate. CA web site or an email from the CA will provide instructions on how to get the server certificate and possible those intermediate CA certs in the chain.

 

5. Process a cert with intermediate CA certs

If there's no intermediate CA's, the downloaded server certificate in the CRT format is the one to deploy. Otherwise, make a backup copy of the server cert and pad it with the intermediate CA cert(s) at the end to look like the following:

-----BEGIN CERTIFICATE-----
MIIFdTCCBF2gAwIBAgIQcyDFFIVoTQx3aDvtM0XGnzANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
...
UgHkjpZvPuh0Fhvf3LhOxmdWlRQBuxaQNcB326Aq5FrTo+0jbyqVqPBSLdmxNtcw
JgPpcF7d1ZMs
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
...
lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
+AZxAeKCINT+b72x
-----END CERTIFICATE-----

 

In the above example, the first chunk of BEGIN CERTIFICATE and END CERTIFICATE is the server cert and the second chunk of BEGIN CERTIFICATE and END CERTIFICATE is the intermediate CA cert. In the case that yet another non-ROOT CA exists in the chain to certify the first intermediate CA, add its cert as the third chunk to the above example. And, the ROOT CA cert can be appended to the end.

 

Procedure for Deploying Key and Certificate

Zentera's zCLI allows administrators to update and upload certificate and/or key whenever is needed. This usually happens when the certificate expires or is about to expire. Below are steps to deploy key and certificate assuming the key and certificate are located on a server at 10.10.88.110.

 

1. Connect to Zentera appliance that requires new key and certificate

$ ssh ztu@hostname
Password:*********
zCLI@hostname> enable
Password:*********
zCLI@hostname# service
zCLI@hostname(service)# controller     #  NOTE - use "controller" on zCenter appliance
                                       #       - use "zns" on ZNS appliance
zCLI@hostname(service-zgw)# controller

 

NOTE - The example in this document refers to "service-zgw" in the shell prompt for the zCenter ("controller") case.  In case of ZNS appliance, the prompt will instead show "service-msg", but will otherwise behave the same way for certificate management steps.

 

2. Download and deploy key and certificate

zCLI@hostname(service-zgw)# certificate download key \ alex@10.10.88.110:~/cert/new.key
alex@10.10.88.110's password:*********
new.key                                       100% 1679     1.6KB/s   00:00
zCLI@hostname(service-zgw)# certificate download certificate \ alex@10.10.88.110:~/cert/new.crt
alex@10.10.88.110's password:*********
new.crt                                       100% 1338     1.3KB/s   00:00
zCLI@hostname(service-zgw)# certificate deploy
Deployment is done! New certificate will take effect at next service restart.
zCLI@hostname(service-zgw)#

 

If a passphrase is used during the key and certificate generation, the deployment step will ask for it.

zCLI@hostname(service-zgw)# certificate deploy
This server key is password protected.
Please enter the passphrase:*********
Deployment is done! New certificate will take effect at next service restart.
zCLI@hostname(service-zgw)#

 

3. Restart the service to have the new certificate take effect

zCLI@hostname(service-zgw)# service restart
Are you sure you want to restart the services?(yes/no) yes
Force-Stopping Tomcat
Using CATALINA_BASE:   /zentera/www
Using CATALINA_HOME:   /zentera/bin/apache-tomcat
Using CATALINA_TMPDIR: /zentera/www/temp
Using JRE_HOME:        /usr
Using CLASSPATH:       /zentera/bin/apache-tomcat/bin/bootstrap.jar
Using CATALINA_PID:    /zentera/www/catalina.pid
Killing Tomcat with the PID: 2140
Stopping zns ...         Ok
Starting Tomcat
Using CATALINA_BASE:   /zentera/www
Using CATALINA_HOME:   /zentera/bin/apache-tomcat
Using CATALINA_TMPDIR: /zentera/www/temp
Using JRE_HOME:        /usr
Using CLASSPATH:       /zentera/bin/apache-tomcat/bin/bootstrap.jar
Using CATALINA_PID:    /zentera/www/catalina.pid
Starting zns ...         Ok
zCLI@hostname(service-zgw)#

 

4. Check the browser login and confirm the new certificate

 

Troubleshooting

1. To restore the old key and certificate, follow the steps below.

zCLI@hostname(service-zgw)# certificate restore
Are you sure you want to restore the certificate?(yes/no) yes
zCLI@hostname(service-zgw)#

To have the restored key and certificate take effect, restart the service:

zCLI@hostname(service-zgw)# service restart
Are you sure you want to restart the services?(yes/no) yes
...
zCLI@hostname(service-zgw)#

Related articles

Comments

0 comments

Please sign in to leave a comment.