Replace an SSL Certificate on the Privileged Access Appliance
Follow the instructions in this section if you need to do one of the following:
- Replace a CA-signed certificate from one certificate authority with a CA-signed certificate from another.
- Replace a self-signed certificate with a CA-signed certificate.
- Replace one type of CA-signed certificate with another type of CA-signed certificate from the same certificate authority.
If you need to renew an existing CA-signed certificate from the same CA, see Renew an Expired Certificate for the Privileged Access Appliance.
Bomgar client software must be able to validate the SSL certificate of their appliance in order to establish secure connections. To do this, they must trust the certificate authority of the appliance's server certificate. If this CA is changed without preparing the clients beforehand, then it is possible to permanently lose connectivity to the clients due to failed SSL validation. To avoid this, the Bomgar Appliance must be properly updated with product builds from Bomgar Technical Support and provisioned with the new CA-signed certificate.
Create the Certificate Signing Request
The first step is to create the CSR. The request data associated with the CSR contains the details about your organization and Bomgar site. This request data is submitted to your certificate authority for them to publicly certify your organization and Bomgar Appliance.
Certificates consist of a friendly name, key, subject name, and one or more subject alternative names. You must enter this information in the Bomgar /appliance web interface to create a certificate signing request.
- Log into the /appliance web interface of your Bomgar Appliance and go to Security > Certificates.
Note: You will see a "Bomgar Appliance" certificate listed. This is a standard certificate which ships with all Bomgar appliances. Both the certificate and its warning should be ignored.
- In the Security :: Certificate Installation section, click Create.
- Create a descriptive title for Certificate Friendly Name. Examples could include your primary DNS name or the current month and year. This name helps you identify your certificate request on your Bomgar Appliance Security > Certificates page.
- Choose a key size from the Key dropdown. Verify with your certificate authority which key strengths they support. Larger key sizes normally require more processing overhead and may not be supported by older systems. However, smaller key sizes are likely to become obsolete or insecure sooner than larger ones.
- The Subject Name consists of the contact information for the organization and department creating the certificate along with the name of the certificate.
- Enter your organization's two-character Country code. If you are unsure of your country code, please visit www.iso.org/iso/home/standards/country_codes.htm.
- Enter your State/Province name if applicable. Enter the full state name, as some certificate authorities will not accept a state abbreviation.
- Enter your City (Locality).
- In Organization, provide the name of your company.
- Organizational Unit is normally the group or department within the organization managing the certificate and/or the Bomgar deployment for the organization.
- For Name (Common Name), enter a title for your certificate. In many cases, this should be simply a human-readable label. It is not recommended that you use your DNS name as the common name. However, some certificate authorities may require that you do use your fully qualified DNS name for backward compatibility. Contact your certificate authority for details. This name must be unique to differentiate the certificate from others on the network. Be aware that this network could include the public internet.
In Subject Alternative Names, list the fully qualified domain name for each DNS A-record which resolves to your Bomgar Appliance (e.g., access.example.com). After entering each subject alternative name (SAN), click the Add button.
Note: If you entered the fully qualified domain name as your subject's common name, you must re-enter this as the first SAN entry. If you wish to use IP addresses instead of DNS names, contact Bomgar Technical Support first.
A SAN lets you protect multiple hostnames with a single SSL certificate. A DNS address could be a fully qualified domain name, such as access.example.com, or it could be a wildcard domain name, such as *.example.com. A wildcard domain name covers multiple subdomains, such as access.example.com, remote.example.com, and so forth. If you are going to use multiple hostnames for your site that are not covered by a wildcard certificate, be sure to define those as additional SANs.
Note: If you plan to use multiple Bomgar Appliances in an Atlas setup, it is recommended that you use a wildcard certificate that covers both your Bomgar site hostname and each traffic node hostname. If you do not use a wildcard certificate, adding traffic nodes that use different certificates will require a rebuild of the Bomgar software.
- Click Create Certificate Request and wait for the page to refresh.
- The certificate request should now appear in the Security :: Certificate Requests section.
Submit the Certificate Signing Request
Once the certificate signing request has been created, you must submit it to a certificate authority for certification. You can obtain an SSL certificate from a commercial or public certificate authority or from an internal CA server if your organization uses one. Bomgar does not require or recommend any specific certificate authority, but these are some of the most well known.
- Comodo (www.comodo.com) - As of 24 February 2015, Comodo is the largest issuer of SSL certificates.
- Digicert (www.digicert.com) - Digicert is a US-based certificate authority that has been in business for over a decade.
- GeoTrust, Inc. (www.geotrust.com) - GeoTrust is the world's second largest digital certificate provider.
- GoDaddy SSL (www.godaddy.com/ssl/ssl-certificates.aspx) - GoDaddy is the world's largest domain name registrar, and their SSL certificates are widely used.
- Symantec SSL (www.symantec.com/ssl-certificates) - 97 of the world's 100 largest financial institutions and 75 percent of the 500 biggest e-commerce sites in North America use SSL certificates from Symantec.
Once you have selected a certificate authority, you must purchase a certificate from them. Bomgar does not require any special type of certificate. Bomgar accepts wildcard certificates, subject alternative name (SAN) certificates, unified communications (UC) certificates, extended validation (EV) certificates, and so forth, as well as standard certificates.
During or after the purchase, you will be prompted to upload or copy/paste your request data. The certificate authority should give you instructions for doing so. To retrieve your request data from Bomgar, take these steps:
- When prompted to submit the request information, log into the /appliance interface of your Bomgar Appliance. Go to Security > Certificates.
- In the Security :: Certificate Requests section, click the subject of your certificate request.
- Select and copy the Request Data, and then submit this information to your certificate authority. Some certificate authorities require you to specify the type of server the certificate is for. If this is a required field, submit that the server is Apache-compatible. If given more than one Apache type as options, select Apache/ModSSL or Apache (Linux).
Import the Certificate
Once the certificate authority has the request data, they will review it and sign it. After the certificate authority has signed the certificate, they will send it back to you, often with the root and/or intermediate certificate files. All these together constitute your certificate chain. The CA or Issuing Authority issues multiple certificates in a certificate chain, proving that your site's certificate was issued by the CA. This proof is validated using a public and private key pair. The public key, available to all of your site visitors, must validate the private key in order to verify the authenticity of the certificate chain. The certificate chain typically consists of three types of certificate:
- Root Certificate – The certificate that identifies the certificate authority.
- Intermediate Root Certificates – Certificates digitally signed and issued by an Intermediate CA, also called a Signing CA or Subordinate CA.
- Identity Certificate – A certificate that links a public key value to a real-world entity such as a person, a computer, or a web server.
All of these certificate files must be imported to your Bomgar Appliance before it will be completely operational. The certificate chain will be sent in one of multiple certificate file formats. The following certificate formats are acceptable:
- DER-encoded X.509 certificate (.cer, .der, .crt)
- PEM-wrapped DER-encoded X.509 certificate (.pem, .crt, .b64)
- DER-encoded PKCS #7 certificates (.p7, .p7b, .p7c)
You must download all of the certificate files in your certificate chain to a secure location. This location should be accessible from the same computer used to access the /appliance interface. Sometimes the CA's certificate download interface prompts for a server type. If prompted to select a server type, select Apache. If given more than one Apache type as options, select Apache/ModSSL.
Many certificate authorities do not send the root certificate of your certificate chain. Bomgar requires this root certificate to function properly. If no links were provided to obtain the root certificate, then it is suggested that the CA be contacted for assistance. If this is impractical for any reason, it should be possible to find the correct root certificate in your CA's online root certificate repository. Some of the major repositories are these:
- Comodo > Repository > Root Certificates (www.comodo.com/about/comodo-agreements.php)
- DigiCert Trusted Root Authority Certificates (www.digicert.com/digicert-root-certificates.htm)
- GeoTrust Root Certificates (www.geotrust.com/resources/root-certificates)
- GoDaddy > Repository (certs.godaddy.com/repository)
- Symantec > Licensing and Use of Root Certificates (www.symantec.com/page.jsp?id=roots)
To identify which root is appropriate for your certificate chain, you should contact your certificate authority. However, it is also possible on most systems to open your certificate file on the local system and check the certificate chain from there. For instance, in Windows 7, the certificate chain is shown under the Certification Path tab of the certificate file, and the root certificate is listed at the top. Opening the root certificate here normally allows you to identify the approprate root on the CA's online repository.
Once you have downloaded all the certificate files for your certificate chain, you must import these files to your Bomgar Appliance.
- Log into the /appliance interface of your Bomgar Appliance. Go to Security > Certificates.
- In the Security :: Certificate Installation section, click the Import button.
- Browse to your certificate file and click Upload. Then upload the intermediate certificate files and root certificate file used by the CA.
Your signed certificate should now appear in the Security :: Certificates section. If the new certificate shows a warning beneath its name, this typically means the intermediate and/or root certificates from the CA have not been imported. The components of the certificate chain can be identified as follows:
- The Bomgar server certificate has an Issued To field and/or an Alternative Name(s) field matching the Bomgar Appliance's URL (e.g., access.example.com).
- Intermediate certificates have different Issued To and Issued By fields, neither of which is a URL.
- The root certificate has identical values for the Issued To and Issued By fields, neither of which is a URL.
If any of these are missing, contact your certificate authority and/or follow the instructions given above in this guide to locate, download, and import the missing certificates.
Update the Bomgar Appliance
To insure the reliability of your client software, Bomgar Technical Support builds your root certificate into your software. Therefore, any time you import a new root certificate to your Bomgar Appliance, you must send to Bomgar Technical Support a copy of the new SSL certificate and also a screenshot of your Status > Basics page to identify the appliance being updated.
Do NOT send your private key file (which ends in .p12) to Bomgar Technical Support. This key is private because it allows the owner to authenticate your Bomgar Appliance's identity. Ensure that the private key and its passphrase are kept in a secure, well-documented location on your private network. If this key is ever exposed to the public (via email, for instance), the security of your appliance is compromised.
- Go to /appliance > Status > Basics and take a screenshot of the page.
- Add the saved screenshot and the all of the SSL certificates files for your certificate chain to a .zip archive. Do NOT include any private key files (e.g., .p12, .pfx, or .key files).
- Compose an email to Bomgar Technical Support requesting a software update. Attach the .zip archive containing the certificate files and screenshot. If you have an open incident with Support, include your incident number in the email. Send the email.
- Once Bomgar Technical Support has built your new software package, they will email you instructions for how to install it. Update your software following the emailed instructions.
After these steps are complete, it is advisable to wait 24-48 hours before proceeding further. This allows time for your Bomgar client software (especially Jump Clients) to update themselves with the new certificate which Bomgar Technical Support included in your recent software update.
Assign IP Addresses
Your new certificate will not secure any hostnames until you assign it to one or more IP addresses. However, you should not assign an IP address to a new certificate if your appliance is currently in production with active connections. For new installations, this is not an issue, but appliances in production should schedule down time to change and test IP assignments.
IP address assignment is performed on the Edit Certificate Configuration page of the certificate in question. If your appliance has multiple IP addresses, you must determine which one is correct for your certificate. You can assign an SSL certificate to multiple IP addresses, if necessary.
The correct IP address is the one which has a DNS hostname registered for it on the network. Thus, the approrpirate IP address for a certificate is the IP which receives traffic from the DNS A-record. Private A-records normally have the IP address of the certificate itself, but public A-records normally have a public IP which redirects to the IP address assigned to the certificate. Certificates should not normally be issued to IP addresses.
- Go to /appliance > Security > Certificates.
- Click the Friendly Name or Assign IP link of your new certificate in the Security :: Certificates section.
- Scroll to the bottom of the page, select the IP address or addresses for which the certificate should be active, and click Save Configuration.
Note: If there is no Assign IP link and/or the IP Addresses are grayed out, refer to the Private Key field of the certificate to make sure it reads Available. If not, either contact your certificate authority for instructions to re-key or certificate, or transfer the private key of your certificate from another server on which it resides.
The configuration can take a few minutes to complete. Once the configuration has finished processing, the new certificate is active on the network and secures the IP addresses you selected.
Any old certificates will still be present on the appliance, but they will not be active on the IP addresses of the new certificate. This is because only one certificate at a time can be assigned to an IP address. If multiple certificates must be active simultaneously (e.g., to support multiple DNS A-records), you must add an IP address and A-record for each.
Any time you add a new IP address to your appliance, that address is assigned to the factory default certificate. You must update the IP Addresses configuration of the appropriate certificate to secure the new IP address. This address should have a DNS hostname registered for it on the network; thus, the appropriate certificate is the one which has a subject alternative name (SAN) entry for the DNS address, not the IP address. Although certificates can include IP address SAN entries, this is not a recommended configuration in most cases.
At this point, the appliance should be fully upgraded and operational with its new certificate. The old certificate may be removed and/or revoked as necessary.