KB Article #162427

SSL/TLS certificates creation and import in Axway Email Security products

Resolution

1. FAQ

1.1. SSL/TLS certificates

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols that provide data encryption and authentication between applications in scenarios where that data is being sent across an insecure network, such as relaying email, browser - server connections etc. The terms SSL and TLS are often used interchangeably or in conjunction with each other (SSL/TLS), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1.

While SSL and TLS differ in ways that make them inoperable with each other, they are generally considered equal in terms of security. The main difference is that, while SSL connections begin with security and proceed directly to secured communications, TLS connections first begin with an insecure “hello” to the server and only switch to secured communications after the handshake between the client and the server is successful. If the TLS handshake fails for any reason, the connection is never created.

Both SSL and TLS ensure that the data is encrypted as it is transmitted across the network and also assure remote server identity. This is possible because servers that support SSL and TLS must have certificates issued to them. A TLS server certificate and a SSL server certificate are identical, except that the TLS certificate is used over the SMTP protocol, where the SSL one is for the HTTP(S) protocol. The steps to generate a TLS and/or SSL certificate are also identical.

One and the same certificate can be used both for SSL and TLS, provided that it is used on the same server or set of servers that have a matching Fully-Qualified Domain Name (FQDN) in the DNS server.

A SSL/TLS certificate can be either CA signed or self-signed. Generally, CA signed certificates are preferred, but they need to be separately purchased from a third-party Certificate Authority (CA).

A SSL/TLS certificate can be issued per hostname (e.g. for server.domain.com) or it could be a wild-card certificate. (e.g. *.domain.com). Although supported, wild-card certificates are not suitable for TLS, as many servers do not yet support wildcards and hostname verification may fail.

1.2. Certificate bit length

The bit length of the encryption key determines the certificate's strength. The greater the bit length, the stronger the security. However, greater bit length may decrease performance and require additional system resources.

1.3. What software is needed to create and manage a certificate

Several methods exist to perform the SSL/TLS certificate generation. The most common tools are IIS (Windows) and OpenSSL (Windows, UNIX).

This article outlines the processes of creating a CA signed certificate using IIS 6.0 and creating a self-signed certificate, using OpenSSL.

2. Creating a Certificate Signing Request (CSR) using IIS 6.0

2.1. Press Windows key + R for Run command and type in inetmgr

2.2. Navigate to Default Web Site, right-click on it and select Properties

2.3. Go to Directory Security > Server Certificate

2.4. This will start the Web Server Certificate Wizard. The status should say that the server does not have a certificate. If there is any current certificate, click Next and remove it as this article focuses on generating a new Certificate Signing Request through IIS. Click Next to proceed

2.5. Select Create a new certificate option then click Next

2.6. Click Next

Important: Please note that you will need this request pending so you could complete the process using IIS. You should not create new certificates for the used site until the request is completed.

2.7. Type the FQDN as certificate name and click Next

2.8. Fill the details and click Next

2.9. Fill the common name with the current (or probably future) server’s FQDN and click Next

Important: The Common Name (CN) must match the server FQDN of the server that will be presented to the end users when they access the page. Any typo here will result in end users’ browsers, which access the server, to see a certificate warning.

2.10. Fill the details and click Next

2.11. Specify the location of the CSR file, which is to be sent to the CA, and click Next

2.12. Make sure the CSR information is accurate and proceed until the wizard finishes

12.3. The CSR is now complete and the generated file can be sent to the Certificate Authority (Verisign, Thawte, etc.). They will sign this file with their CA certificate and return it so that it is ready for import back into IIS.

3. Processing a pending CSR using IIS 6.0

Once the CA process the CSR, the signed certificate (most commonly a text file) which CA sends back, has to be imported back into the same server where the CSR was originally generated on.

3.1. Press Windows key + R for Run command and type in inetmgr

3.2. Navigate to Default Web Site, right-click on it and select Properties

3.3. Go to Directory Security > Server Certificate

3.4. This will start the Web Server Certificate Wizard. If you have successfully finished the CSR, you will have status Pending certificate request. Click Next to proceed

3.5. Select Process the pending request and install the certificate option and then click Next

3.6. Browse for the file received from the CA and then click Next

3.7. You should specify a secure port. Once ready, you may click Next

Important: Email Firewall users should *not* specify port 443, as this will conflict with Secure Messenger, if installed on the same server (it usually uses port 443).

3.8. Review all details for the new server’s SSL/TLS certificate and click Next

3.9. You can verify that all is correct if the completion windows shows status that the certificate is now installed. Then you can click Finish

Now the certificate can be exported into a P12/PFX format for usage as TLS/SSL certificate with Email Firewall, Secure Messenger and MailGate products.

4. Exporting a PKCS#12 formatted certificate using IIS 6.0

Prerequisite(s): The CA signed certificate is available in IIS.

4.1. Press Windows key + R for Run command and type in inetmgr

4.2. Navigate to Default Web Site, right-click on it and select Properties

4.3. Go to Directory Security > View Certificate

4.4. This will display the certificate properties. If the previous two articles were followed correctly, you should have a status showing an installed certificate. Select the Details tab and click Copy to File to proceed

4.5. This will start the Certificate Export Wizard. Click Next to proceed

4.6. Select Yes, export the private key option, then click Next

4.7. Select Personal Information Exchange - PKCS#12 (.pfx) radio button and enable Include all certificates in the certification path, if possible. Leave the other two options unchecked and click Next

Important: If the server (e.g. MailGate) requires the server certificate to be imported separately, you must uncheck the 'Include all certificates in the certification path, if possible' checkbox.

4.8. Provide a strong password (at least 6 characters) and make a note of it. In addition, it will be helpful to use one that is common internally, as this will ease the future usage of the certificate. Then, click Next

4.9. Chose a location to save the newly exported certificate and click Next

4.10. The final step should show the details of the exported certificate. Click Finish to complete the wizard.

The .pfx file is now ready for import into the server(s) that needs this SSL/TLS certificate.

5. Installing OpenSSL on Windows

   5.1. Download OpenSSL for Windows - http://gnuwin32.sourceforge.net/packages/openssl.htm
   5.2. Run the installer and accept all defaults. Lets assume the installation path is C:\openssl
   5.3. Add C:\openssl\bin to the OS's system path (Start > Control panel > System > Advanced > Environment variables > System variables)
   5.4. Create a working directory, for example C:\ssl
   5.5. Download the openssl.conf file found in the right pane (attached to this article) and place it into the working directory
   5.6. Create the directories below as required by OpenSSL

   C:\ssl\keys
   C:\ssl\requests
   C:\ssl\certs

   5.7. Create the file database.txt - an empty (zero-byte) text file
   5.8. Create the serial number file serial.txt. This is a plain ASCII file containing only the string "01" on the first line, followed by a new line. Then, save the file.

6. Creating a self-signed certificate using OpenSSL

6.1. First, lets create a 1024-bit private key (key strength should do for such type of certificae) to use when creating your CA. Run the following command and follow the prompts:

C:\ssl>openssl genrsa -des3 -out keys/ca.key 1024

This will create a file called C:\ssl\keys\ca.key, containing your Certificate Authority's private key.

6.2. Next, create a master certificate based on this key to use when signing other certificates. Run the following command and follow the prompts:

C:\ssl>openssl req -config openssl.cnf -new -x509 -days 1001 -key keys/ca.key -out certs/ca.cer

This will create your CA certificate and store it as C:\ssl\certs\ca.cer.

6.3. Finally, export your CA certificate in PKCS #12 format:

C:\ssl>openssl pkcs12 -export -in certs/ca.cer -inkey keys/ca.key -out certs/ca.p12

This will create C:\ssl\certs\ca.p12.

7. Importing/Renewing a TLS certificate in Email Firewall

A TLS server key/certificate pair must be imported into the EMF store for use with TLS. This import is performed using the EMF PrivateKeyWizard utility:

   7.1. Open Start > Programs > Tumbleweed Email Firewall > PrivateKeyWizard
   7.2. Select option 3 (Import private keys from a PKCS #12 formatted file)
   7.3. Click Next
   7.4. Fill in the database name (e.g., EMFMail) and database server name
   7.5. Fill in a SQL admin account (you can simply use your EMF Web Admin superadmin account)
   7.6. Click Next
   7.7. Browse to the PFX file
   7.8. Click Next
   7.9. Check Trust Root Keys and TLS options
   7.10. Click Next
   7.11. Enter the PFX file protection password
   7.12. Enter the EMF private key encryption password (created at EMF installation time)
   7.13. Click Finish.

The new key and certificate should be displayed in EMF Web Admin > Set Up > Security > Secure Domains & Local Certificates > Local Certificates. Any trusted root certificates imported from the PFX file should appear in the Trusted Root Keys section.

If you do not remember the EMF private key encryption password, download and run the RetrievePassword.exe utility from a Windows command prompt on an EMF box running the EMF policy engine to see what the password is. DO NOT change the current password as this will affect all certificates previously imported in the store.

8. Importing/Renewing a SSL certificate in EMF Secure Messenger (ver. 6.4 and 6.5)

In Secure Messenger 6.4 and later, a Certificate Updater tool was introduced which enables updating the SSL certificate without re-installing the SM service.

The Secure Messenger Certificate Updater tool is available as a Windows executable, and you can find a shortcut for it in Windows Start menu. The tool is also available under the Secure Messenger’s installation directory on machines where the Secure Messenger service is installed.

In a distributed install environment, the Secure Messenger Certificate Updater tool is available only on nodes where the Secure Messenger service is installed. As the database-only machine does not run the Secure Messenger front-end, the tool is not needed there.You can import an SSL certificate or create a temporary self-signed SSL certificate.

To import an SSL certificate, follow these steps:
   A. Select Import SSL Certificate
   B. Press the Browse button, select the certificate file, and enter the key password for it
   C. Click Update.

The tool will stop the Secure Messenger Windows service, update the necessary information, and ask if it should start the service again.

NOTE: Update all nodes before starting the service when your system is in a replicated environment.

To create a temporary self-signed SSL certificate, follow these steps:
A. Select Create temporary self-signed SSL certificate
B. Click Update.

Before updating any files, the Certificate Updater creates a backup directory in the main Messenger directory and places in it the original of the files that are going to be changed. These files are msgrkeystore and web-listener-config.xml.If an error occurs, or if you want to restore the previous certificate, you can restore the files to the appropriate directories by using copy and paste.

The directories are:

• msgrkeystore — Messenger\JBoss\server\default\conf\
• web-listener-config.xml— Messenger\JBoss\server\default\deploy\jbossweb-jetty.sar\

After restoring the files, be sure to restart the Secure Messenger service.

9. Importing/Renewing a SSL certificate in Email Firewall for accessing the Admin UI over HTTPS

- Go to “Computer Management”
- Go to “Internet Information Services”
- Go to “Default Web Site” (Or to your EMF Admin website, if you are using a non-standard one)
- Go to “Directory Security” Tab
- Go to "Server Certificate" under “Secure Communication”
- Follow the wizard:
   a. Next
   b. Import a certificate from a pfx file
   c. Browse to your certificate [Optionally mark the certificate as exportable]
   d. Choose a strong password
   e. Choose the port the emfadmin would open on. Important: If you have Secure Messenger installed, please make sure to use a port different than 443!
   f. Click Finish.

10. Importing/Renewing a SSL certificate in Email Firewall Reverse Proxy

If you have followed steps 2-4 in this document, you have a .pfx password protected certificate file. In order to use it with Email Firewall Reverse Proxy, you will need to export the certificate file and the private key as separate files, using OpenSSL.

   10.1. Create a working directory and copy your .pfx file to it
   10.2. Open the Windows/UNIX console and go to that directory
   10.3. Convert the certificate in the PFX file to a separate certificate file in PEM format:

openssl pkcs12 -clcerts -nokeys -in ssl.pfx -out sslcert.pem

Here, ssl.pfx is name of the PFX file, and sslcert.pem is the output certificate file in PEM format. You will be prompted for the PFX password, with echo off; alternatively, you can specify the PFX password with the -passin pass:password parameter (where password is your PFX password). Note that you can specify an entire path to the ssl.pfx file, enclosed in double quotes.

10.4. Convert the key in the PFX file to a separate key file in PEM format. From the same Windows\UNIX console as in step (2), run:

openssl pkcs12 -passout pass:password -nocerts -in ssl.pfx -out sslkey.pem

This will output the key to sslkey.pem in PEM format, encrypted with the password password (choose any password you wish - but write it down!). Note that this PEM password can be different from the PFX password.

10.5. Specify the sslcert.pem file and sslkey.pem file (with password) to the Reverse Proxy (RP) installer when prompted.

11. Importing/Renewing a TLS/SSL certificate in MailGate

   11.1. Log into the Admin UI > Administration > Certificates - Local Certificate (Local) page, then click the TLS Certificate button
   11.2. Click on Import button and choose a format from the drop-down menu. The supported formats are PEM and P12 (PFX)
   11.3. Click Browse near the Public Key File Name (Certificate) field. A Choose file dialog is displayed
   11.4. Navigate to the file you want to use, highlight it, and then click OK. The file you selected appears in the Public Key File Name (Certificate) field
   11.5. Click Browse near the Private Key File Name field. A Choose file dialog is displayed

NOTE: MailGate does not support private keys encrypted with IDEA. MailGate supports RSA only private keys and certificates.

   11.6. Navigate to the file you want to use, highlight it, and then click OK. The file you selected appears in the Private Key File Name field
   11.7. In the Private Key Password field, enter the password for the private key
   11.8. Click Import.

12. CSR creation, signing with a local CA, importing the signed certificate and exporting .pfx using IIS 7

Video Tutorial

Creating a CSR in IIS 7

12.1. Go to Start > Administrative Tools > Internet Information Services (IIS) Manager
12.2. Click on your server name in the left pane and select Server Certificates, double-click on the icon
12.3. Click on Create Certificate Request under Actions (on the right)
12.4. Next, the CSR creation wizard will appear. Enter the information as follows:

Common Name: The name through which the certificate will be accessed (MailGate's fully-qualified domain name, e.g. securemail.yourdomain.com).
Organization: The legally registered name of your company.
Organizational unit: The name of your department within the organization (optional)
City/locality: The city in which your organization is located.
State/province: The state or province in which your organization is located.
Country/region: The two-digit country code from the drop-down.

When ready, click Next.

12.5. In the Cryptographic Service Provider Properties section, select the following:

Cryptographic service provider: From the drop-down list select "Microsoft RSA SChannel Cryptographic Provider" unless you have a specific cryptographic provider or requirement.
Bit length: select 2048 (or higher).

When ready, click Next.

12.6. Chose a filename and file location to save the file to and click Finish.

[More information available from Microsoft at: http://technet.microsoft.com/en-us/library/cc732906%28v=ws.10%29.aspx]

Note: At this step you can either provide the CSR to a public Certification Authority (preferred) and they will send back the signed certificate. If this is the case, skip directly to step #12.10. Otherwise, keep reading for instructions how to sign the certificate with your local Certification Authority.

Signing the certificate request with the local Certification Authority

12.7. Click on Start > Run and type cmd

12.8. In the Windows command prompt, type certreq.exe and the relevant attributes, e.g. certreq.exe -submit -attrib "CertificateTemplate:WebServer" request.txt, then hit Enter
[details about certreq syntax are available in MS Technet at http://technet.microsoft.com/library/cc725793.aspx]

12.9. A pop-up will appear, listing all available certification authorities that you can use. Select the one you want to use and click OK, then save the signed certificate to a file.

Importing the signed certificate back to IIS

12.10. Go to Start > Administrative Tools > Internet Information Services (IIS) Manager
12.11. Click on your server name in the left pane and select Server Certificates, double-click on the icon
12.12. Click on Complete Certificate Request under Actions (on the right). This will prompt you to select the file with the signed certificate, provided by your Certification Authority (or created at step 12.9.). Select the file and fill in a friendly name for your certificate, then click OK.

Exporting the certificate to a PKCS#12 (pfx) file

12.13. Your new certificate will now be available in the main Server Certificates section - find it and double-click on the name
12.14. In the certificate pop-up, click on Details > Copy to File
12.15. The Certificate Export Wizard will pop up. Select to Export the private key > Next > Personal Information Exchange - PKCS#12 (.PFX) > Include all certificates in the certification path if possible > Next > Select a 6 symbols (or more) for a password > Next > Save to a file > Next > Finish.

Importing the certificate in MailGate

12.16. Open up the Admin UI and navigate to Administration > Certificates > Local > TLS Certificate and click Import.
12.17. In the pop-up, select P12/pfx in the File Format field; the certificate file and the password, created at 12.15. The web server will restart and you will see a message, indicating that the certificate was imported successfully.
12.18. Check the details of your new certificate. If the Chain section reports Broken Chain, you will need to import your root and intermediate certificates in the respective sections under Administration > Certificates [root and intermediate certificates will be provided by your CA]
12.19. Go to Administration > Certificates > Root, find the root certificate of your new server certificate and make sure that there is a green check-mark under TLS. If there isn't one, select the root and then chose Trust for TLS from the drop-down.
12.20. Once ready, you can open up the enduser UI to verify that the new server certificate is presented.

Note: If you still see the old SSL certificate, make sure to clear the browser cache (or you can just refresh the page using Ctrl + F5 key combination) and re-check.

Results for

Search for within Documentation portal

KB Article #162427

SSL/TLS certificates creation and import in Axway Email Security products

Table of contents:

Resolution

Still need help?