This guide will walk through setting up an SSL certification and installing it on your server. I used these steps in the past for Jira and Confluence, but there are many uses for this. SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. According to Digicert, “SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text—leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server they can see and use that information.”
A certificate signing request (CSR) can be taken to any third-party Certificate Authority (such as Digicert or VeriSign) to get a signed certificate that will be trusted by default in most browsers. These steps are a prerequisite in this guide for all methods of creating a new certificate.
1. Obtain OpenSSL
I recommend installing to C:\OpenSSL and putting the executables into the OpenSSL\bin folder instead of the Windows system folder. Once the installation finishes, add the new bin folder to your system path variable with the following steps.
2. Command Prompt
Next, open a command prompt and change directory to your desktop or another convenient directory (type “CMD” in the Start Menu). Now we need to configure the location (or wherever you installed it). Below is the directory locations where I installed it:
CD C:\OpenSSL-Win64\bin
Then type:
set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg
Use the following command to generate a new encryption key pair and output it to a file named filename.key (or a name of your choice). I recommend 4096-bit keys for good security and browser compatibility. This is SHA2 compatible. For the sake of simplicity, I’m using “filename” as the filename, but please use what you’re comfortable with. Execute the following command:
openssl genrsa -out filename.key 4096
Next, we need to generate a Certificate Signing Request (CSR). The CSR will contain the keys we just created and information about who the certificate will be created for. Run the following command:
openssl req -new -key filename.key -out filename.csr
You’ll be presented with a series of questions. The most important question is the value for the common name. This value must match exactly with the hostname or domain name that you use to access Websense Manager. For example, if you use http://websense.site.com/mng to access the Manager, then your common name must be websense.site.com. Otherwise, you will still receive browser certificate errors after the certificate has been imported and trusted. When prompted, it’s also important to leave the password blank. With that in mind, input the appropriate information for your company. Below are some examples:
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Colorado Locality Name (eg, city) []:Denver Organization Name (eg, company) [Internet Widgits Pty Ltd]: Your Business Name Organizational Unit Name (eg, section) []: Your Department Common Name (eg, YOUR name) []: www.yourwebsite.com Email Address []: your@email.com A challenge password []: (Generate a password) An optional company name []:
At this point, you should have both filename.key and filename.csr successfully created.
3. Generating a Self-Signed Certificate
Once you have both filename.key and filename.csr, you can create your own certificate. The advantage to using a self-signed certificate is that it’s free and quick. The disadvantage is, by default browsers do not trust it and on each computer where you launch the TRITON mangement console, you’ll have to import and trust the self-signed certificate. Use the following command to create the self-signed certificate:
openssl x509 -req -days 796 -in filename.csr -signkey filename.key -out filename.crt
Note: 796 is the number of days the certificate is valid for – in this case 2 years. x509 is the certification type (SSL).
3. Verification and Install
When completed, get the certification verified by a webhost of your choice (GoDaddy, Namecheap, etc.)
If you host your own server, copy the verified certification files into a folder such as: C:/etc/ssl/crt/