Create an SSL Certificate
To obtain a certificate signed by a certificate authority, you must start from the /appliance interface of your Bomgar Appliance. While a CA-signed certificate is the best way to secure your site, you may need a self-signed certificate temporarily. Both processes closely follow the same steps.
Create a Certificate Request or a Self-Signed Certificate
- Log into the /appliance interface of your Bomgar Appliance. Go to Security > Certificates.You will see a "Bomgar Appliance" certificate listed. This is a standard certificate which ships with all Bomgar appliances. Both the certificate and its warning should be ignored.
- In the Security :: Certificate Installation section, click Create.
- Fill out the New Certificate form.
- For Certificate Friendly Name, create a descriptive title for your certificate. Examples could include your primary DNS name or the current month and year. This name will help you identify your certificate request on your Bomgar Appliance Certificates page.
- From the Key dropdown, choose one of the New Key options, with a size of either 2048 bits or 4096 bits. You will need to verify with your certificate authority which key strengths they support.
Note: If the certificate being requested is a renewal or is being issued by a new CA, you should select the existing key of the certificate being replaced.
If the certificate being requested is a re-key, you should select New Key for the certificate.
For a re-key, all information on the Security :: Certificates :: New Certificate section should be the same as the certificate for which re-key is being requested. A new certificate friendly name should be used so that it will be easy to identify the certificate in the Security :: Certificates section.
Required information for the re-key can be obtained by clicking on the earlier certificate from the list displayed in the Security :: Certificates section.
For a new key or re-key certificate, the steps to import and apply the IP addresses are the same.
- Enter your two-character Country code. If you are unsure of your country code, please visit www.iso.org/iso/home/standards/country_codes.htm.
- Enter your State/Province name if applicable. Enter the full state name, as some certificate authorities will not accept a state abbreviation.
- Enter your City (Locality).
- In Organization, provide the name of your company.
- In Organizational Unit, enter your department within your organization.
- For Name (Common Name), enter a title for your certificate. In many cases, this should be simply a human-readable label. It is not recommended that you use your DNS name as the common name. However, some certificate authorities may require that you do use your fully qualified DNS name for backward compatibility. Contact your certificate authority for details.
- In the Subject Alternative Names section, enter your Bomgar site hostname and click Add. If you used your DNS name as the common name, it must match the first subject alternative name (SAN). A SAN lets you protect multiple hostnames with a single SSL certificate.
Add a SAN for each DNS name or IP address needed.
A DNS address could be a fully qualified domain name, such as support.example.com, or it could be a wildcard domain name, such as *.example.com. A wildcard domain name covers multiple subdomains, such as support.example.com, remote.example.com, and so forth.If you are going to use multiple hostnames for your site that are not covered by a wildcard, be sure to define those as additional SANs.
Note: If you plan to use multiple Bomgar Appliances in an Atlas setup, it is recommended that you use a wildcard certificate that covers both your Bomgar site hostname and each traffic node hostname. If you do not use a wildcard certificate, adding traffic nodes that use different certificates will require a rebuild of the Bomgar software.
- If you are requesting a signed certificate from a certificate authority, click Create Certificate Request. This will create a request in the Security :: Certificate Requests section.
If you are creating a self-signed certificate, click Create Self-Signed Certificate. Your self-signed certificate should now appear in the Security :: Certificates section. You can skip the steps for using a certificate authority and can now jump to Assign IP Addresses.
Submit the Certificate Request
- You will now need to contact your certificate authority for directions on how to submit your request. In most cases, requests are submitted by filling out a form on the CA's website.
- When prompted to enter the request information, log into the /appliance interface of your Bomgar Appliance. Go to Security > Certificates.
- In the Security :: Certificate Requests section, click the subject of your new certificate request.
- Select and copy the Request Data, and then submit this information to your certificate authority. In most cases, you will paste the request data into a form on your CA's website. Otherwise, you may need to contact your CA for directions.
- Some CAs require you to specify the type of server the certificate is for. If this is a required field, submit that the server is Apache-compatible. If given more than one Apache type as options, select Apache/ModSSL.
Upload the Certificate Files
- After the CA has signed the certificate, they will send it back to you, along with the intermediate certificate files and root certificate file. The following certificate and private key formats are acceptable:
- DER-encoded X.509 Certificate (.cer, .der, .crt)
- PEM-wrapped DER-encoded X.509 Certificate (.pem, .crt, .b64)
- DER-encoded PKCS #7 certificates (.p7, .p7b, .p7c)
- DER-encoded PKCS #8 private key (.p8)
- DER-encoded PKCS #12 certificates and/or private key(.p12)
- DER-encoded OpenSSL Legacy Private Key (.key)
- PEM-wrapped DER-encoded OpenSSL Legacy Private Key (.pem, .key)
- Download all of the returned certificate files to a secure location. This location should be accessible from the same computer used to access the /appliance interface. If prompted to select a server type, select Apache. If given more than one Apache type as options, select Apache/ModSSL.
- Log into the /appliance interface of your Bomgar Appliance. Go to Security > Certificates.
- In the Security :: Certificate Installation section, click the Import button.
- Browse to your certificate file and click Upload. Then upload the intermediate certificate files and root certificate file used by the CA.
Note: If the new certificate shows a warning beneath its name, this typically means the intermediate and/or root certificates from the CA have not been imported. Often, the simplest way to resolve this is to click the certificate's name, click its Authority Info Access link, and import the resulting certificate file(s). If this fails, make sure all certificate files sent by the CA have been imported to Bomgar. At least one of these should have Issued To and Issued By fields that are identical. This is known as the root certificate, and if it is not present, it can be downloaded from the CA's online root certificate store. If this cannot be located, you should contact the CA directly to get a copy.
- Your signed certificate should now appear in the Security :: Certificates section.
Note: After each certificate is uploaded, it should appear in the Security :: Certificates section. If an error message is shown, ensure that you uploaded all intermediate certificate files and the root certificate file the CA gave you. If none were given, request them from the CA.
Your new certificate will not secure any hostnames until you assign it to one or more IP addresses.
- To apply your certificate to an IP address, go to Security > Certificates.
- In the Security :: Certificates section, click the name of your new certificate.
- At the bottom of the page, select the IP addresses to which to apply this certificate. These IP addresses should be assigned to the hostnames that are secured by this certificate.
Note: If the checkbox is grayed out, refer to the Private Key field of the certificate to make sure it reads Available. If not, locate a server which is currently using the certificate or which originally generated the certificate request, and then import the certificate to Bomgar from that server. The certificate must be exported with the private key, and the password must be entered when importing it to Bomgar.
- Then click Save Configuration.
- This certificate will now serve as the SSL certificate for the IP addresses you selected.
Any time you add a new IP address to your appliance, that address is assigned to the factory default certificate. You must update the IP Addresses configuration of the appropriate certificate to secure the new IP address. This address should have a DNS hostname registered for it on the network; thus, the appropriate certificate is the one which has a subject alternative name (SAN) entry for the DNS address, not the IP address. Although certificates can include IP address SAN entries, this is not a recommended configuration in most cases.
Update the Bomgar Software
- Bomgar Technical Support builds your root certificate into the software. Therefore, every time you change the Certificate Authority that secures your Bomgar site hostname, you will need to obtain an updated software build from Bomgar. To build the update, Bomgar Technical Support needs a copy of the new SSL certificate(s) along with a screenshot of the /appliance > Status > Basics page to confirm which appliance should receive the new software.
- Before sending this information, it is important to verify that the SSL certificate chain is complete. Self-signed certificates have no chain, but CA-signed certificates do.
The certificate chain for any installed certificate in Bomgar can be reviewed in the Security :: Certificates section of the /appliance > Security > Certificates page. The components of the certificate chain can be identified as follows:
- The Bomgar server certificate has an Issued To field and/or an Alternative Name(s) field matching the Bomgar Appliance's URL (e.g., support.example.com).
- Intermediate certificates have different Issued To and Issued By fields, neither of which is a URL.
- The root certificate has identical values for the Issued To and Issued By fields, neither of which is a URL.
The server certificate shows a warning if its certificate chain is not complete. The certificate files of the chain can be downloaded from the issuing Certificate Authority (CA). Typically, the server certificate and intermediate certificate(s) are sent by email after the certificate purchase is complete. The root certificate is not always directly provided, however. You may need to download the root certificate from the CA's root certificate repository.
The appropriate root can be identified by contacting the CA directly or by opening the intermediate certificate and checking the Issued By field. This field should match the name of one (and only one) root certificate listed in the public repository of the CA.
- Go to /appliance > Status > Basics and save a screenshot of the page. You must include this screenshot in the email you will send to Bomgar Technical Support.
- Go to /appliance > Security > Certificates, confirm the SSL certificate chain is complete (if the certificate is CA-signed rather than self-signed), and export a copy of the certificate.
- Check the box next to your server certificate in the Security :: Certificates table.
- From the dropdown menu at the top of this section, select Export. Then click Apply.
- Uncheck Include Private Key, check Include Certificate Chain, and click Export. The certificate chain is not required for self-signed certificates.
Note: Do not send your private key file (which ends in ".p12") to Bomgar Technical Support. If a certificate is being exported to be sent to Bomgar Technical Support, you should NOT check Include Private Key. Ensure that the private key and its passphrase are kept in a secure, well-documented location on your private network. Exporting certificates will not remove them from the appliance.
- Add the resulting certificate file to a .zip archive and send it as an attachment to Bomgar Technical Support. Also include the screenshot of the Status > Basics page. If you have an open incident with Support, please include your incident number in the email.
- Once Bomgar Technical Support has built your new software package, they will email you instructions for how to install it. Update your software following the emailed instructions.
At this point, the appliance should be fully operational and ready for production. To learn more about how to manage and use Bomgar, please refer to www.bomgar.com/docs.