Skip to main content

Installing a trusted, externally-signed XClarity Orchestrator server certificate

You can choose to use a trusted server certificate that was signed by a private or commercial certificate authority (CA). To use an externally-signed server certificate, generate a certificate signing request (CSR), and then import the resulting server certificate to replace the existing server certificate.

About this task

As a best practice, always use v3 signed certificates.

The externally-signed server certificate must be created from the Certificate Signing Request that was most recently generated using the Generate CSR File button.

The externally-signed server certificate content must be a certificate bundle that contains the entire CA signing chain, including the CA’s root certificate, any intermediate certificates, and the server certificate.

If the new server certificate was not signed by a trusted third party, the next time that you connect to XClarity Orchestrator, your web browser displays a security message and dialog prompting you to accept the new certificate into the browser. To avoid the security messages, you can import the server certificate into your web browser's list of trusted certificates (see Importing the server certificate into a web browser).

XClarity Orchestrator begins using the new server certificate without terminating the current session. New sessions are established using the new certificate. To use the new certificate in use, restart your web browser.

Important
When the server certificate is modified, all established user sessions must accept the new certificate by clicking Ctrl+F5 to refresh the web browser and then re-establish their connection to XClarity Orchestrator.

Procedure

To generate and install an externally-signed server certificate, complete the following steps.

  1. Create a certificate signing request and save the file to your local system.
    1. From the XClarity Orchestrator menu bar, click Administration (Administration icon) > Security, and then click Server Certificate in the left navigation to display the Generate Certificate Signing Request card.
      Generate Certificate Signing Request (CSR) card
    2. From the Generate Certificate Signing Request (CSR) card, fill in the fields for the request.
      • Two-letter ISO 3166 code for the country or region of origin associated with the certificate organization (for example, US for the United States).
      • Full name of the state or province to be associated with the certificate (for example, California or New Brunswick).
      • Full name of the city to be associated with the certificate (for example, San Jose). The length of the value cannot exceed 50 characters.
      • Organization (company) that is to own the certificate. Typically, this is the legal incorporate name of a company. It should include any suffixes, such as Ltd., Inc., or Corp (for example, ACME International Ltd.). The length of this value cannot exceed 60 characters.
      • (Optional) Organization unit that is to own the certificate (for example, ABC Division). The length of this value cannot exceed 60 characters,
      • Common name of the certificate owner. This must be the hostname of the server that is using the certificate. The length of this value cannot exceed 63 characters.
      • (Optional) Subject alternative names that are added to the X.509 "subjectAltName" extension when the CSR is generated.

        By default, XClarity Orchestrator automatically defines subject alternative names for the CSR based on the IP address and hostname that are discovered by the network interfaces for the XClarity Orchestrator guest operating system. You can customize, delete, or add to these subject alternative name values. However, the subject alternative names must have the fully-qualified domain name (FQDN) or IP address of the server, and the subject name be set to the FQDN.

        The name that you specify must be valid for the selected type.
        • DNS (use the FQDN, for example, hostname.labs.company.com)
        • IP address (for example, 192.0.2.0)
        • email (for example, example@company.com)
        Note
        All subject alternative names that are listed in the table are validated, saved, and added to the CSR only after you generate the CSR in the next step.
  2. Provide the CSR to a trusted certificate authority (CA). The CA signs the CSR and returns a server certificate.
  3. Import the externally-signed server certificate and the CA certificate to XClarity Orchestrator, and replace the current server certificate.
    1. From the Generate Certificate Signing Request (CSR) card, click Import Certificate to display the Import Certificate dialog.
    2. Copy and paste the server certificate and CA certificate in PEM format. You must provide the entire certificate chain, beginning with the server certificate and ending in the root CA certificate.
    3. Click Import to store the server certificate in the XClarity Orchestrator trust store.
  4. Accept the new certificate by pressing Ctrl+F5 to refresh the browser and then re-establishing your connection to the web interface. This must be done by all established user sessions.