Certificates: Create and Manage SSL Certificates
Manage SSL certificates, creating self-signed certificates and certificate requests, importing certificates signed by a certificate authority, and determining which IP addresses should be secured by which certificates.
The Bomgar Appliance comes with a self-signed certificate pre-installed. However, to effectively use your Bomgar Appliance, you also will need to create a self-signed certificate at minimum, preferably requesting and uploading a certificate signed by a certificate authority.
To create a self-signed certificate or a certificate request, click Create. In Certificate Friendly Name, enter a name you will use to identify this certificate. From the Key dropdown, choose to create a new key or select an existing key. Enter the remaining information pertaining to your organization.
Note: If the certificate being requested is a replacement, you should select the existing key of the certificate being replaced.
If the certificate being requested is a re-key, you should select New Key for the certificate.
For a re-key, all information on the Security :: Certificates :: New Certificate section should be the same as the certificate for which re-key is being requested. A new certificate friendly name should be used so that it will be easy to identify the certificate in the Security :: Certificates section.
Required information for the re-key can be obtained by clicking on the earlier certificate from the list displayed in the Security :: Certificates section.
For a new key or re-key certificate, the steps to import and apply the IP addresses are the same.
In the Name (Common Name) field, enter a descriptive title for your Bomgar site.
You can use a single SSL certificate to protect multiple hostnames by adding subject alternative names. From the dropdown, select DNS Address or IP Address, enter an address in the text box below, and then click Add. To remove an address, select it from the list and click Remove.
Note: DNS addresses can be entered as fully qualified domain names, such as support.example.com, or as wildcard domain names, such as *.example.com. A wildcard domain name covers multiple subdomains, such as support.example.com, remote.example.com, and so forth.
If you intend to obtain a signed certificate from a certificate authority, click Create Certificate Request. Otherwise, click Create Self-Signed Certificate.
To upload certificates and/or private keys, click Import. For example, after your certificate authority has signed your certificate, they will send it and the intermediate certificates file back to you. Import both the certificate and the intermediate certificate chain to make that certificate available to secure your Bomgar site hostnames.
IMPORTANT: You MUST assign one or more IP addresses to a certificate before that certificate can secure any hostnames. Click a certificate name to assign IP addresses.
If the intermediate and/or root certificates are different from those currently in-use (or if a self-signed certificate was in-use), please request an update from Bomgar Technical Support before assigning an IP to the new certificate. Bomgar Technical Support will need a copy of the new certificate and its intermediate and root certificates.
Note: If multiple IP addresses point to your appliance, make sure that the IP addresses assigned to a certificate correspond to that certificate's common name and subject alternative names. If you are uncertain of a hostname's corresponding IP address, you can ping the hostname to see the IP address to which it resolves. If someone attempts to reach your site using a hostname secured by a certificate, and if that hostname’s corresponding IP address is not assigned to that certificate, then the person trying to reach the site will receive a security error, warning that the connection is not trusted.
View a table of SSL certificates available on your appliance.
Click a certificate name to view details, manage its certificate chain, and assign the IP addresses that this certificate should secure.
IMPORTANT: Any time you add a new IP address to your appliance, that address is assigned to the factory default certificate. You must update the IP Addresses configuration of the appropriate certificate to secure the new IP address. This address should have a DNS hostname registered for it on the network; thus, the appropriate certificate is the one which has a subject alternative name (SAN) entry for the DNS address, not the IP address. Although certificates can include IP address SAN entries, this is not a recommended configuration in most cases.
To export one or more certificates, check the box for each desired certificate, select Export from the dropdown at the top of the table, and then click Apply.
If you are exporting only one certificate, you immediately can choose to include the certificate, the private key (optionally secured by a passphrase), and/or the certificate chain, depending upon each item’s availability. Click Export to start the download.
If you are exporting multiple certificates, you will have the option to export each certificate individually or in a single PKCS#7 file.
When selecting to export multiple certificates as one file, click Continue to start the download. With this option, only the actual certificate files will be exported, without any private keys or certificate chains.
To include private keys and/or certificate chains in the export, select individual export and click Continue to view all selected certificates. For each listing, choose to include the certificate, the private key (optionally secured by a passphrase), and/or the certificate chain, depending upon each item’s availability. Click Export to start the download.
Note: The private key should never,or rarely, be exported from an appliance. If it is stolen, an attacker could easily compromise the Bomgar site which generated the key. If it does need to be exported, be sure to assign a strong password to the private key.
To delete one or more certificates, check the box for each desired certificate, select Delete from the dropdown at the top of the table, and then click Apply.
Note: Under normal circumstances, a certificate should never be deleted unless it has already been successfully replaced by a working substitute.
To confirm accuracy, review the certificates you wish to delete, and then click Delete.
View a table of pending requests for third-party-signed certificates. Click a certificate request name to view details.
The detail view also provides the request data you will give your preferred certificate authority when requesting a signed certificate.
Note: If you are renewing a certificate, use the same certificate Request Data that was used for the original certificate.
To delete one or more certificate requests, check the box for each desired request, select Delete from the dropdown at the top of the table, and then click Apply.
To confirm accuracy, review the certificate requests you wish to delete, and then click Delete.
View a table of private keys associated with certificates and certificate requests on your appliance. Click a linked certificate name or request name to view details about that associated item.
To export one or more private keys, check the box for each desired key, select Export from the dropdown at the top of the table, and then click Apply.
For each private key you are exporting, choose if you want to include an associated certificate. If the key applies to more than one certificate, select which certificate to include. Certificate requests cannot be included in the export. Optionally, secure the private key with a passphrase. Click Export to start the download.
To delete one or more private keys, check the box for each desired key, select Delete from the dropdown at the top of the table, and then click Apply.
To confirm accuracy, review the private keys you wish to delete, and then click Delete.
Note: Keys associated with certificates in use (those with assigned IP addresses) cannot be deleted.