KB Article #175980

Using an authenticated (HTTPS) access point with FTD


If you want to use authenticated (HTTPS) access point with FTD, three things need to be done:

I.    Generate a server certificate for your server hosting FTD
II.   Import the server certificate in FTD
III.  Import the certificate chain of the FTD server certificate into the Java keystore


I.  Generate a server certificate


Several methods exist to perform the SSL/TLS certificate generation. The most common tools are IIS (Windows) and OpenSSL (Windows, UNIX).
This article outlines the processes of creating a CA signed certificate using IIS 7.0 and creating a self-signed certificate, using OpenSSL.


METHOD 1: Creating a certificate using Internet Information Services (IIS) Manager 7.0

1. Generate Certificate Signing Request (CSR)

       1.1. Click Start, then Administrative Tools, then Internet Information Services (IIS) Manager.
       1.2. Click on the server name.
       1.3. From the center menu, double-click the Server Certificates button in the Security section (it is near the bottom of the menu).
       1.4. Next, from the Actions menu (on the right), click on Create Certificate Request.This will open the Request Certificate wizard.
       1.5. In the Distinguished Name Properties window, enter the information as follows:

                Common Name - The name through which the certificate will be accessed (usually the fully-qualified domain name, e.g., www.domain.com or mail.domain.com).
                Organization - The legally registered name of your organization/company.
                Organizational unit - The name of your department within the organization (frequently this entry will be listed as "IT," "Web Security," or is simply left blank).
                City/locality - The city in which your organization is located.
                State/province - The state in which your organization is located.
                Country/region - If needed, you can find your two-digit country code in our list.
               
       1.6. Click Next.
       1.7. In the Cryptographic Service Provider Properties window, enter the following information and then, click Next:
                      Cryptographic service provider - In the drop-down list, select Microsoft RSA SChannel..., unless you have a specific cryptographic provider.
                      Bit length - In the drop-down list, select 2048 (or higher).
       1.8. Enter a filename for your CSR file.
       1.9. Send the certificate request to a public CA.

      
2. Install the Certificate using IIS 7.0

To install your newly acquired SSL certificate in IIS 7, first copy the file somewhere on the server and then follow these instructions:

       2.1. Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.
       2.2. Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.
       2.3. In the Actions column on the right, click on Complete Certificate Request...
       2.4. Click the button with the three dots and select the server certificate that you received from the certificate authority. If the certificate doesn't have a .cer file extension, select to view all types. Enter any friendly name you want so you can keep track of the certificate on this server. Click OK.
       2.5. If successful, you will see your newly installed certificate in the list. If you receive an error stating that the request or private key cannot be found, make sure you are using the correct certificate and that you are installing it to the same server that you generated the CSR on. If you are sure of those two things, you may just need to create a new Certificate Request and reissue/replace the certificate. Contact your certificate authority if you have problems with this.

3. Export the Certificate in .pfx format using IIS 7.0

       3.1. Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.
       3.2. Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.
       3.3. Select the newly imported certificate and from the Actions column on the right click View
       3.4. Under the Details tab, click Copy to File
       3.5. On the Welcome wizard press Next
       3.6. Select Yes export the private Key and click Next
       3.7. Under Personal Information Exchange select these 2 options only and press Next:
 
            Include all certificates in the certification path if possible
            Export all extended properties

       3.8. Specify a password to protect the private key of the certificate
       3.9. Chose a location to save the newly exported certificate and click Next
       3.10.  The final step should show the details of the exported certificate. Click Finish to complete the wizard.
       
The .pfx file is now ready for import into the FTD server that needs this SSL/TLS certificate.
         
         
METHOD 2: Creating a self-signed certificate using OpenSSL

   1. First, create a 2048-bit private key to use when creating your CA. Run the following command and follow the prompts:

  openssl genrsa -des3 -out ca.key 1024
 
    2. Next, create a master certificate based on this key to use when signing other certificates. Run the following command and follow the prompts:
  
   openssl req -config openssl.cnf -new -x509 -days 1001 -key ca.key -out ca.cer

    3. Finally, export your CA certificate in PKCS #12 format:

  openssl pkcs12 -export -in cca.cer -inkey ca.key -out ca.p12

 

II.  Import the server certificate in FTD


      1. Login to FTD as system administrator and navigate to Administration -> System Management > Access Points
      2. For Protocol select HTTPS
      3. Click on Import PKCS#12 and select the server certificate (.pfx or .p12) file
      4. Enter the certificate password

After importing a certificate,the DN, expiration date and serial number are displayed.
If you select HTTPS for authenticated access points, the same certificate is used for both intranet and Internet.

      5. Specify a unique range of listening ports for each access points: Local network and Internet
      6. Click Save
      7. A popup will notify you that you are about to modify a critical parameter. Click Yes to continue
      8. New popup will ask you to reload the appliacation. Select OK and your browser session should automatically redirect you to HTTPS
     

     

III.  Import the certificate chain of the FTD server certificate into the Java keystore


This step is necessary if you will be using the admicmd utility used for administration of the FTD server in command line. The first time you execute the command with an option that requires authentication, you must provide authentication parameters. Beside that, if the FTD web access is configured on HTTPS, the admincmd tool will use the Java keystore to establish SSL connection with the server. If the Java keystore does not have the Root and Intermediate certificates , it will not be able to valide the FTD server certificate and the connection will fail.

To import the certifcate chain, you will first need to have the CA and Intermediate certificates in PEM format or certificate chain file.
To import the certifcate chain in the Java Virtual Machine keystore, one must use the Java provided keytool utility in FTD as follows:


keytool -import -alias ca_alias -keystore cacerts -trustcacerts -file /path/of/certificate/authority/ca.crt


Where:
ca_alias is the name(alias or short name) choosen for the authority,
cacerts is the name of the Java default keystore, Enter it as is,
ca.crt is the certificate authority file in PEM format.

You will then be asked to enter the keystore password, default is “changeit”, and asked if you trust the imported certificate: reply “yes”.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.