Create a Self-Signed Certificate for Your PA Appliance
A self-signed certificate may be necessary on a temporary basis for testing or installing a Bomgar Appliance. For long-term use, a certificate from a public certificate authority (CA) should be used instead (see Create a Certificate Signed by a Certificate Authority for Your PA Appliance). Self-signed certificates are created in the Bomgar /appliance web interface. Once created, the Bomgar software should be updated. The final step is to assign the appliance IP address(es) to the new certificate.
Create the Certificate
Note: Customers with a cloud site environment cannot create a self-signed certificate.
Certificates consist of a friendly name, key, subject name, and one or more subject alternative names. You must enter this information in the Bomgar /appliance web interface to create a self-signed certificate.
- Log into the /appliance web interface of your Bomgar Appliance and go to Security > Certificates.
Note: You will see a "Bomgar Appliance" certificate listed. This is a standard certificate which ships with all Bomgar appliances. Both the certificate and its warning should be ignored.
- In the Security :: Certificate Installation section, click Create.
- Create a descriptive title for Certificate Friendly Name. Examples could include your primary DNS name or the current month and year. This name helps you identify your certificate request on your Bomgar Appliance Security > Certificates page.
- Choose a key size from the Key dropdown. Verify with your certificate authority which key strengths they support. Larger key sizes normally require more processing overhead and may not be supported by older systems. However, smaller key sizes are likely to become obsolete or insecure sooner than larger ones.
- The Subject Name consists of the contact information for the organization and department creating the certificate along with the name of the certificate.
- Enter your organization's two-character Country code. If you are unsure of your country code, please visit www.iso.org/iso/home/standards/country_codes.htm.
- Enter your State/Province name if applicable. Enter the full state name.
- Enter your City (Locality).
- In Organization, provide the name of your company.
- Organizational Unit is normally the group or department within the organization managing the certificate and/or the Bomgar deployment for the organization.
- For Name (Common Name), enter a title for your certificate. In many cases, this should be simply a human-readable label. It is not recommended that you use your DNS name as the common name. This name must be unique to differentiate the certificate from others on the network. Be aware that this network could include the public internet.
In Subject Alternative Names, list the fully qualified domain name for each DNS A-record which resolves to your Bomgar Appliance (e.g., access.example.com). After entering each subject alternative name (SAN), click the Add button.
Note: If you entered the fully qualified domain name as your subject's common name, you must re-enter this as the first SAN entry. If you wish to use IP addresses instead of DNS names, contact Bomgar Technical Support first.
A SAN lets you protect multiple hostnames with a single SSL certificate. A DNS address could be a fully qualified domain name, such as access.example.com, or it could be a wildcard domain name, such as *.example.com. A wildcard domain name covers multiple subdomains, such as access.example.com, remote.example.com, and so forth. If you are going to use multiple hostnames for your site that are not covered by a wildcard certificate, be sure to define those as additional SANs.
Note: If you plan to use multiple Bomgar Appliances in an Atlas setup, it is recommended that you use a wildcard certificate that covers both your Bomgar site hostname and each traffic node hostname. If you do not use a wildcard certificate, adding traffic nodes that use different certificates will require a rebuild of the Bomgar software.
- Click Create Self-Signed Certificate and wait for the page to refresh. The new certificate should now appear in the Security :: Certificates section.
Even though your certificate now appears in the list, it is not yet installed or assigned to an IP address.
Update the Bomgar Appliance
To insure the reliability of your client software, Bomgar Technical Support builds a copy of your certificate into your software. Therefore, when you create a new certificate, you must send to Bomgar Technical Support a copy of your certificate and also a screenshot of your Status > Basics page to identify the appliance being updated.
- Go to /appliance > Security > Certificates and export a copy of your new certificate.
- Check the box next to the new certificate in the Security :: Certificates table.
- From the Select Action dropdown menu above the table, select Export. Then click Apply.
- Uncheck Include Private Key, click Export, and save the file to a convenient location.
Do NOT send your private key file (which ends in .p12) to Bomgar Technical Support. When exporting your certificate, you have the option to Include Private Key. If a certificate is being exported to be sent to Bomgar Technical Support, you should NOT check Include Private Key. This key is private because it allows the owner to authenticate your Bomgar Appliance's identity. Ensure that the private key and its passphrase are kept in a secure, well-documented location on your private network. If this key is ever exposed to the public (via email, for instance), the security of your appliance is compromised. Never export your private key when requesting software updates from Bomgar. A certificate without the private key usually exports as a file with the .cer, .crt, .pem, or .p7b extension. These files are safe to send by email and to share publicly. Exporting certificates does not remove them from the appliance.
- Go to /appliance > Status > Basics and take a screenshot of the page.
- Add the saved screenshot and the exported certificate to a .zip archive.
- Compose an email to Bomgar Technical Support requesting a software update. Attach the .zip archive containing the certificate and screenshot. If you have an open incident with Support, include your incident number in the email. Send the email.
- Once Bomgar Technical Support has built your new software package, they will email you instructions for how to install it. Update your software following the emailed instructions.
After these steps are complete, it is advisable to wait 24-48 hours before proceeding further. This allows time for your Bomgar client software (especially Jump Clients) to update themselves with the new certificate which Bomgar Technical Support included in your recent software update.
Assign IP Addresses
Your new certificate will not secure any hostnames until you assign it to one or more IP addresses. However, you should not assign an IP address to a new certificate if your appliance is currently in production with active connections. For new installations, this is not an issue, but appliances in production should schedule down time to change and test IP assignments.
IP address assignment is performed on the Edit Certificate Configuration page of the certificate in question. If your appliance has multiple IP addresses, you must determine which one is correct for your certificate. You can assign an SSL certificate to multiple IP addresses, if necessary.
The correct IP address is the one which has a DNS hostname registered for it on the network. Thus, the approrpirate IP address for a certificate is the IP which receives traffic from the DNS A-record. Private A-records normally have the IP address of the certificate itself, but public A-records normally have a public IP which redirects to the IP address assigned to the certificate. Certificates should not normally be issued to IP addresses.
- Go to /appliance > Security > Certificates.
- Click the Friendly Name or Assign IP link of your new certificate in the Security :: Certificates section.
- Scroll to the bottom of the page, select the IP address or addresses for which the certificate should be active, and click Save Configuration.
The configuration can take a few minutes to complete. Once the configuration has finished processing, the new certificate is active on the network and secures the IP addresses you selected.
Any old certificates will still be present on the appliance, but they will not be active on the IP addresses of the new certificate. This is because only one certificate at a time can be assigned to an IP address. If multiple certificates must be active simultaneously (e.g., to support multiple DNS A-records), you must add an IP address and A-record for each.
Any time you add a new IP address to your appliance, that address is assigned to the factory default certificate. You must update the IP Addresses configuration of the appropriate certificate to secure the new IP address. This address should have a DNS hostname registered for it on the network; thus, the appropriate certificate is the one which has a subject alternative name (SAN) entry for the DNS address, not the IP address. Although certificates can include IP address SAN entries, this is not a recommended configuration in most cases.
At this point, the appliance should be fully operational and ready for production. To learn more about how to manage and use Bomgar, please refer to www.bomgar.com/docs.