Manage Gateway certificates

By default, a Gateway Instance on Identity as a Service contains a self-signed SSL certificate that you can download. You can replace the self-signed certificate with one signed by a certificate authority (CA).

The CA can be a public CA such as Entrust Certificate Services (ECS) or a private CA. The CA-signed certificate is generated in response to a certificate signing request (CSR) generated by Identity as a Service. The CSR is a PKCS#10 file that is provided to the CA. The CA responds by issuing a signed certificate in PKCS#7 format or a list of certificates. The signed certificate is then uploaded to the Identity as a Service account. Once uploaded, Identity as a Service signals the Enterprise Service Gateway to download the new certificate and update its keystore.

SSL certificates are required for the following:

Identity as a Service Gateway Instances with RADIUS and Entrust IdentityGuard agents require an SSL certificate to support authentication to RADIUS and Entrust IdentityGuard applications.
The RADIUS agent requires an SSL certificate for EAP RADIUS authentication.
Entrust IdentityGuard agents require a certificate to form a secure connection as an HTTPS service.

You must have the Enterprise Gateway and Agents Management role with Edit privileges to manage Gateway certificates.

The following section explains how to export an SSL certificate and generate CA-signed certificates from a Gateway Instance.

Export SSL certificate

You can download the SSL certificate of a Gateway Instance from Identity as a Service. You need this certificate to successfully configure RADIUS or Entrust IdentityGuard applications for Identity as a Service.

Note: The certificate can only be downloaded from a Gateway Instance that has been successfully configured on Identity as a Service. It cannot be downloaded from an instance that is only partially configured.

Click > Resources > Gateways. The Gateways page appears.
Click next to the Gateway.
Select Export SSL certificate from the drop-down list. The Export SSL Certificate dialog box appears.
Select SSL Certificate, Root CA Certificate, or Certificate Chain. The type you select depends on the application that will be using the certificate.
Click Submit. The certificate is saved to your downloads folder.

Generate CA-signed certificates

Complete the following steps to generate a certificate signing request (CSR) to send the certificate authority (CA).

Click > Resources > Gateways. The Gateways page appears.
Click next to the Gateway.
Select Generate CSR from the drop-down list. The Generate CSR dialog box appears.

Note: The Common Name (CN) field is auto-populated with the name of your Gateway Instance certificate.
Enter values for any of the following attributes. The required values depend on the CA you are going to use to issue your CA-signed SSL certificate:

Note: Enter values without including the DN name. For example, do not enter values with o= .
- Organizational Unit (OU)—Enter the name of your organizational unit.
- Organization (O)—Enter the name of your organization.
- Locality (L)—Enter the city or other locality where the organization associated with this Entrust IdentityGuard server deployment is located.
- State / Province (ST)—Enter the state, province, or territory of your organization.
- Country (C)—Enter the 2-character country code.
Click Next. The Subject Alt Names (SANs) dialog box appears. When generating a CSR, you need to specify the subject that will go in the DN. This is normally the host name of your server. Additionally if your server has additional hostnames, you can specify additional names that will be included in subjectAltName extensions of your SSL certificate.
Enter the Subject Alt Names (SANs) as follows:
1. Select either DNS Name or IP Address as the type of SAN.
2. In the Value field, enter the name of the gateway instance in either DNS Name or IP Address format.
3. Click Add.
4. Repeat these steps for each SAN you want to add.
Click Next. A Summary page appears.
Click Generate CSR.
If a pop-up window appears, select Save File, and click OK. The CSR is saved to your computer.
Obtain a certificate from Entrust Certificate Services, as follows:
1. Go to Entrust Certificate Services https://www.entrust.com/products/categories/ssl-certificates and select the type of certificate you want to purchase.
2. Follow the on-screen instructions to purchase the certificate, following these guidelines:
  - When prompted for a CSR, open the CSR file you just generated.
  - Copy and paste its contents into the field provided, and click Next. You must include the ---Begin Certificate Request--- and ---End Certificate Request--- lines.
  If your CSR is valid, a confirmation page appears showing the fully qualified domain name that you specified when creating the CSR (for example, my.example.com). If it is not correct, recreate the CSR with the correct information.
3. When prompted for contact information:
  - Specify different individuals for your Authorization, Technical, and Billing contacts. If you do not specify separate people, Entrust will contact you and ask you for this information.
  - List yourself as the Authorization or Technical contact. Entrust sends the SSL certificate to these contacts. (The certificate is not sent to the Billing contact.)
4. Record your order number to track your order.
  
  Entrust Certificate Services processes the order and sends you an email with a link to a Web page where you can pick up your certificate. The process takes three to five business days. You either receive one or several certificate files.
5. Save the file or files to a location of your choice.
Click next to the Gateway.
Select Process CSR Response from the drop-down list. The Process CSR Response dialog box appears.
Click next to CSR Response File to select the SSL certificate you received from Entrust.

Identity as a Service needs the entire chain of certificates to successfully process the CSR response. The response you received from your CA could be the following:
- A single file containing a PKCS#7 certificate chain
- A single file containing multiple certificates (including the SSL certificate, root certificate, and any issuing CA certificates
- Several files that each contain a separate certificate (including the SSL certificate, root certificate and any issuing CA certificates)
If you receive a single file containing a certificate chain or multiple certificates, select that file as the CSR Response. If you received several files, select the SSL certificate within those files as the CSR Response.

Note: If you received several files from a Microsoft CA as your CSR response, only the .p7b file needs to be uploaded as the CSR Response. No Additional Certificates need to be attached. If you received several files from Entrust Certificate Services (ECS) as your CSR response, "ServerCertificate.crt" is the name of the SSL certificate.

Refer to the Certificate Installation Instructions from Entrust Certificate Services for more information.
(Optional) If your CA-certificate included multiple files, add the other files (not including the SSL certificate) provided by your CA as Additional Certificates, as follows:
1. Click next to CSR Response File to select the files that make up your certificate, and select the certificate.
2. Click Open. The certificate appears as an entry under Additional Certificates.
3. Repeat these steps for every other certificate file you want to add as part of your certificate bundle.
Click Submit.

Once the certificate is uploaded, Identity as a Service signals the gateway to download the new CA-signed certificate and update its keystore. The self-signed certificate has been replaced with the CA-signed certificate.

To Delete a CSR

Click next to the gateway.
Select Delete CSR from the drop-down list.
On the confirmation prompt, click Delete.