Manage Third-Party Certificates from an Alternate Certificate Authority

To enable remote client stations to log in and MiCollab Mobile Client users to establish connections, you can purchase an SSL certificate from a alternate third-party Certificate Authority and then import it onto the MSL server.

If you have an MSL application server deployed in LAN mode with an MBG / Web Proxy server in the demilitarized zone (DMZ) or network edge, your remote clients will connect to the MSL server through the MBG / Web Proxy server. For this configuration, purchase an SSL certificate for the MBG / Web Proxy server and then share the certificate and private key file with the LAN-based MSL servers.

If you have MSL application servers deployed in LAN mode behind a corporate firewall, your remote clients will connect to the MSL servers through the firewall. For this configuration, purchase a unique SSL certificate for each MSL server.

Supported Formats

You can import third-party SSL certificates in either PEM or PKCS#12 format:

MSL supports the SHA-2 cryptographic hash function, along with variants such as SHA-256.

Configuration Example

The illustration, below, demonstrates the five basic steps that must be completed to implement a third-party SSL certificate when you have an have an MSL application server in LAN mode with an MBG / Web Proxy on the network edge. First, generate the certificate signing request (CSR) on the MBG / Web Proxy. Second, submit the CSR to the CA, complete the online registration forms and purchase your web server certificate and intermediate certificates. Third, install the certificates on the MBG / Web Proxy (the MSL server that was used to generate the CSR). Fourth, download the certificates and private key from the MBG / Web Proxy. Fifth, install the certificates and private key on the MSL application server on the LAN. The application server can be equipped with Mitel software such as MiVoice Business, MiCollab Client, Open Integration Gateway, Oria or, as illustrated below, MiCollab.

 

Programming Steps

To implement a third-party SSL certificate, complete the following procedures:

Enroll for a web server certificate issued by Enterprise CA using SCEP

To automatically enroll for a web server certificate issued by a local Enterprise CA using the Simple Certificate Enrollment Protocol (SCEP), select the Enterprise CA - SCEP Enrollment option.

To enroll for a web server certificate issued by a Enterprise CA using SCEP, do the following:

  1. Log into the MSL Server Manager.

  2. Under Security, click Web Server.

  3. Click the Web Server Certificate tab.

  4. Select Enterprise CA - SCEP Enrollment option.

  5. Click Perform.

  6. Fill out the SCEP form:

  7. Click Get Certificate.

  8. Upon submitting the form, the data is validated and access to the SCEP server is verified. On successful verification, the SCEP enrollment is initiated to request a certificate, a progress status of the SCEP transaction is provided.

  9. Reload the MSL server manager for the newly acquired web server certificate to take effect.

Generate a Certificate Signing Request (CSR) and Purchase the SSL Certificate

You need a certificate signing request (CSR) in order to purchase an SSL certificate from an alternate third-party Certificate Authority (CA).  

To generate a CSR and purchase the third-party SSL certificate:

  1. Log into the MSL Server Manager.

  2. Under Security, click Web Server.

  3. Click the Web Server Certificate tab.

  4. Select Generate a new Certificate Signing Request (CSR), and then click Perform.

  5. Enter the information required to generate a certificate signing request (CSR). If you have previously generated a CSR, the previously entered values are displayed.

Note: When completing the fields, use first capital letters only (for example Ontario, not ONTARIO).

Field Name

Description

Country Name (two letter code)

Enter the two-letter International Organization for Standardization- (ISO-) format country code for the country in which your organization is legally registered. Examples are, CA for Canada and US for United States.

State or Province Name

Enter the full name of state or province where your organization is located. Do not abbreviate. The first letter of the name entered must be a capital with remaining letters lower case. For example, you would enter "Ontario" for Mitel Corporation.

Locality Name

The Locality Name is the city, town, route used in the mail address of the organization that is submitting the CSR. Enter the full name of the city in which your organization is located. Do not abbreviate.

Organization Name

The Organization Name is the name used in the mail address of the organization / business submitting the CSR. Enter the name under which your organization / business is legally registered. The listed organization must be the legal registrant of the domain name in the trusted certificate request. If you are enrolling as an individual, please enter the certificate requestor's name in the Organization field, and the DBA (doing business as) name in the Organizational Unit field.

Organizational Unit Name

Enter the organization unit or department name. Use this field to differentiate between divisions within an organization. For example, "Engineering" or "Human Resources." If applicable, you may enter the DBA (doing business as) name in this field.

Common Name

Enter the common name for the service to which you plan to apply your certificate. A web browser checks this field. It is required.

The common name can be entered as a fully qualified domain name (FQDN) or as a domain name with a wild card character (e.g. *.example.com) in order to generate a wild card certificate request.

The default value presented in this field is the FQDN of the server including the domain name (for example, mbg.example.com).

  1. Check to ensure that you have entered all the required information correctly before you generate the CSR. If you need to make changes, regenerate the file. Do NOT modify the text of the generated file in a text editor such as Notepad.

  2. Click Generate Certificate Signing Request. The system generates a CSR file.

  3. Copy the text of the CSR file.

  4. Access the web site of a Certificate Authority and purchase a certificate. You will be prompted to do the following:

Note: Each Certificate Authority has unique requirements. Accordingly, you may not be prompted for all of the steps listed below, and some of the field names may vary.   

    1. Select the number of domains you wish to protect:

    1. Enter your account and contact details in the CA web form:

    1. Paste the text of the CSR file into the CA web form.

    2. If you have purchased a certificate for multiple domains or a wildcard domain, enter the following in the CA web form:

  1. Complete the purchase transaction. The Certificate Authority will do the following:

Note:

  1. Upload the certificate files to a location that is accessible to the MSL server.

Install the SSL Certificate Files on the MSL Server

Use the following procedure to install the certificate files that you received from the alternate third-party Certificate Authority onto the MSL server that generated the CSR. The Upload and install a web server certificate option supports only certificates and keys based on RSA algorithm for upload.

To install the SSL certificate files on the MSL server:

  1. Log into the MSL Server Manager for the system that was used to generate the CSR.

  2. Under Security, click Web Server.

  3. Click the Web Server Certificate tab.

  4. Select Upload and install a web server certificate, and then click Perform.

    Note: This option only supports certificates and keys based on RSA algorithm for upload.

  5. Select the SSL certificate:

  1. If you also received an Intermediate SSL certificate, select it as well:

Notes:

  1. Click Install Web Server Certificate. If there is a problem with the certificate chain of trust, MSL will display an error message instructing you to take corrective action. You may need to contact your CA for assistance.

  2. Restart the server to ensure all components and services that require the certificate are informed of the certificate's presence. Perform this step at a time of low system activity.  

Note: Some services, such as the MiCollab Client Service and WebRTC, are restarted automatically as soon as you install the certificate. This removes the need for you to restart the server manually.  

Install the SSL Certificate on other MSL Severs

If your deployment includes LAN-based MSL application servers accessed via an MBG / Web Proxy server, use the following procedure to install the certificate files on them. This is a two-step process. First, you must download the web server certificate, intermediate certificates (if installed), and private key file corresponding to the SSL server certificate from the MBG / Web Proxy. Second, you must upload these files to the LAN-based MSL servers.

Download certificates

To download the SSL certificate files from the MBG / Web Proxy:

  1. Log into the MSL Server Manager for MBG / Web Proxy (the system that was used to generate the CSR).

  2. Under Security, click Web Server.

  3. Click the Web Server Certificate tab.

  4. Select Download the current web server certificate, and then click Perform.

  5. Click Save, navigate to the location you wish to store the file, and then click Save. The downloaded file is in ZIP format. It includes the web server certificate, intermediate certificates (if installed), and private key file.

  6. Unzip the files and upload them to a location that is accessible to the other MSL servers in your network.

Note: Exercise caution when transferring your certificate files and private key to the other system. If your private key is stolen, it can be used to establish fraudulent connections to your applications. For optimum security, delete the files from any media they are stored on as soon as you have completed the upload process.

Upload certificates

To upload the SSL certificate files to a LAN-based MSL server:

  1. Log into the MSL Server Manager for a LAN-based MSL server.

  2. Under Security, click Web Server.

  3. Click the Web Server Certificate tab.

  4. Select Upload and install a web server certificate, and then click Perform.

    Note: This option only supports certificates and keys based on RSA algorithm for upload.

  5. Select the SSL certificate:

  1. If you also received an Intermediate SSL certificate, select it as well:

  1. Import the private key pair created on the other MSL server:

  1. Click Install Web Server Certificate.

  2. Restart the server to ensure all components and services that require the certificate are informed of the certificate's presence. Perform this step at a time of low system activity.

Note: Some services, such as the MiCollab Client Service and WebRTC, are restarted automatically as soon as you install the certificate. This removes the need for you to restart the server manually.

  1. To prevent fraudulent use of your certificates, delete the certificate and private key files from any media they are stored on.

Uninstall the SSL Certificate

To uninstall SSL certificate and resume using the self-signed certificate:

  1. Log into the MSL Server Manager.

  2. Under Security, click Web Server.

  3. Click the Web Server Certificate tab.

  4. Select Uninstall the third-party web server certificate, and then click Perform. The MSL system uninstalls the SSL certificate and returns to using the default self-signed certificate.

Verify the Installed SSL Certificate

To view details regarding currently installed web server certificate:

  1. Log into the MSL Server Manager.

  2. Under Security, click Web Server.

  3. Click the Web Server Certificate tab.

  4. View details at the top of the page:

Field Name

Details

Issuer

Lists the following information for the certificate authorization company that issued the certificate:

C: country code

ST: state or province

L: locality name (for example: city name)

O: name of the certificate authorization authority

OU: name of the organizational unit

CN: server hostname

Authority/ emailAddress: email address of the Certificate Authority

Certificate Name

The Common Name that identifies the fully qualified domain name associated with the certificate.

Alternate Name(s)

The FQDNs of each service (or "virtual host") included in the certificate.

Valid From

Date and time when the certificate takes effect.

Expires

Date and time when the certificate expires.

NOTE: Events are raised prior to, and on the date of expiry of the certificate. Ensure to regularly check the event viewer or configure email alerts.
Certificate already expired:   CRITICAL
Expires in less than 1 week:   CRITICAL
Expires in less than 3 weeks:  MAJOR

Print Page