How to Install SSL certificate from a trusted CA in inSync server

How to Install SSL certificate from a trusted CA Secure Sockets Layer, SSL, is the standard security technology for creating an encrypted link between a server and a client. This link ensures that all data passed between the server and client remains private and integral. SSL is an industry standard and is used by millions of businesses in the protection of their online transactions with their customers. In order to be able to generate an SSL link, a server requires an SSL Certificate. When you choose to activate SSL on your server you will be prompted to complete a number of questions about the identity of your server (e.g. your websites URL) and your company (e.g. your company's name and location). Your server then creates two cryptographic keys - a Private Key and a Public Key. Your Private Key is so called for a reason - it must remain private and secure. The Public Key does not need to be secret and is placed into a Certificate Signing Request (CSR) - a data file also containing your details. You should then submit the CSR your certificate provider, the SSL Certification Authority, who will validate your details and issue an SSL Certificate containing your details and allowing you to use SSL. Your server will match your issued SSL Certificate to your Private Key. Your server will then be able to establish an encrypted link between the server and your client. Druva inSync uses 256 bit SSL v2 certificate in X.509 format for the web restore site and also to encrypt transmission between inSync server and client. This certificate is self generated and is not trusted by web browsers. So when a client browser (IE, Firefox etc..) connects to it you get a warning prompting you not to go to the site if you dont trust it. To remove this warning you have to provide a trusted certificate from any of the trusted certification authority. The default SSL certificate for Druva inSync is located at C:\inSyncServer4\inSyncServerSSL.key which can be replaced by a certificate that you can get from trusted certification authorities like Thawte,Verisign etc .

The procedure to install a trusted certificate in Druva inSync is as follows:-

Using OpenSSL to generate CSR and Private Key:

STEP 1 : The first part of enrolling for your SSL Certificate is to generate a Certificate Signing Request (CSR). A CSR is a file containing your certificate application information, including your Public Key. To do this you will require OpenSSL, to download latest version of openSSL for windows go to http://www.slproweb.com/download/Win32OpenSSL-1_0_0e.exe to download and install it. Please note that OpenSSL requires Visual C++ 2008 Redistributables which can be downloaded from the same website. STEP 2 :To generate a pair of private key and public Certificate Signing Request use the following command : Open command prompt and navigate to C:\OpenSSL-Win32\bin> and run the following command,

openssl req -out server.csr -new -newkey rsa:2048 -nodes -keyout myserver.key This creates two files in C:\OpenSSL-Win32\bin\ directory. The file myserver.key contains a private key; do not disclose this file to anyone. Carefully protect the private key. In particular, be sure to backup the private key, as there is no means to recover it should it be lost. The private key is used as input in the command to generate a Certificate Signing Request (CSR) file server.csr. STEP 3 :You will now be asked to enter details to be entered into your CSR What you are about to enter is what is called a Distinguished Name or a DN. For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [AU]: GB State or Province Name (full name) [Some -State]: Yorks Locality Name (eg, city) []: York Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd Organizational Unit Name (eg, section) []: IT Common Name (eg, YOUR name) []: mysubdomain.mydomain.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Use the name of the web server as Common Name (CN). If the domain name is mydomain.com append the domain to the host-name (use the fully qualified domain name).The Common Name field should be the Fully Qualified Domain Name (FQDN) or the web address for which you plan to use your Certificate, e.g. the area of your site you wish clients to connect to using SSL. For example, an SSL Certificate issued for druva.com will not be valid for secure.druva.com. If the web address to be used for SSL is secure.druva.com, ensure that the common name submitted in the CSR is secure.druva.com. The fields email address, optional company name and challenge password can be left blank for a server certificate.

Using Microsoft IIS to generate CSR and Private Key:

STEP 1: Please follow the below mentioned Knowledge Base article for instruction on generating CSR and save it as server.csr, http://support.emerge.com.my/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=215&nav =0,27 STEP 2: Please follow the below mentioned Knowledge Base article for instruction on backing up the Private Key, http://support.emerge.com.my/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=217

STEP 3: The private key is backed up as a .pfx file which stands for Personal Information Exchange. To convert it to RSA Private Key Format supported by inSync please follow the below mentioned steps, Download and install latest version of OpenSSL for windows from http://www.slproweb.com/products/Win32OpenSSL.html. Please note that OpenSSL requires Visual C++ 2008 Redistributables which can be downloaded from the same website. Open command prompt and navigate to C:\OpenSSL-Win32\bin> and run the following command,

openssl pkcs12 -in filename.pfx -nocerts -out key.pem openssl rsa -in key.pem -out myserver.key

The private key will be saved as myserver.key. Carefully protect the private key in particular, be sure to backup the private key, as there is no means to recover it should it be lost.

Loading the SSL Certificate in inSync Server Web Restore Portal:

STEP 1: The CSR and Private Key are now created. Open the server.csr in a text editor and copy and paste the contents into the online enrolment form when requested. STEP 2: Once you get the signed certificate from your certifying authority follow below mentioned steps to restore the key and certificate in inSyncServerSSL.key file. Step 1: Stop Druva inSync Server and Druva inSync Control Panel service. Step 2: Back up your original inSyncServerSSL.key file. Step 3: Copy the contents of private key from C:\OpenSSL-Win32\bin\myserver.key to C:\inSyncServer4\inSyncServerSSL.key and append the contents of the certificate file to it as follows,

-----BEGIN RSA PRIVATE KEY----<Paste RSA Private Key here> -----END RSA PRIVATE KEY---------BEGIN CERTIFICATE----<Paste X.509 Server Certificate Here> -----END CERTIFICATE-----

Save the file and exit. STEP 3: For replacing the web restore IP address with FQDN follow the below mentioned instructions, 1. Open inSyncServer.cfg from "C:\inSyncServer4" and look for "WR_IP" 2. Enter the FQDN for ex: WR_IP = 'FQDN:443'. 3. Start Druva inSync Server and Druva inSync Control Panel service.

Using chained SSL certificate in inSync Server :

For enhanced security purposes, most end user certificates today are issued by intermediate certificate authorities. Installing an intermediate CA signed certificate on a inSync server usually requires installing a bundle of certificates. It should include the private key, server certificate and intermediate certificate if any. The certificate chain to be loaded in C:\inSyncServer4\inSyncServerSSL.key is as follows,

-----BEGIN RSA PRIVATE KEY----<Paste Server RSA Private Key here> -----END RSA PRIVATE KEY---------BEGIN CERTIFICATE----<Paste X.509 Server Certificate Here> -----END CERTIFICATE---------BEGIN CERTIFICATE----Paste X.509 Intermediate Certificate Here -----END CERTIFICATE-----

For inSync Server to recognize the certificate chain we have to change the default SSL v2 mode to support SSL v3. For enabling SSL V3 on the inSync server follow the below mentioned steps, 1. Open inSyncServer.cfg from "C:\inSyncServer4" and look for "ALLOW_SSLv2 " 2. Modify the ALLOW_SSLv2 = True parameter to ALLOW_SSLv2 = False 3. Start Druva inSync Server and Druva inSync Control Panel service. On client machine open web browser and connect to the server using web/App restore IP address https://inSync server FQDN:443 and check for valid SSL certificate.