This product uses an HTTPS communication with web browsers and uses a security certificate for encrypting and performing mutual authentication of communication data. By default, a self-signed certificate is used when this product is installed. For safe networks such as an intranet that is protected by a firewall, there is no problem with using a self-signed certificate. However, the following warning messages might be generated if the web browser is used to access the Internet.
When the web browser is started and a connection is made for the first time, a warning message is displayed regarding the security certificate.
To disable this warning message, create a certificate for the IP address of this product or host name (FQDN) that is entered in the web browser and import it into the web browser.
Creating a Certificate
From your terminal (Windows or Linux), execute the openssl command on the virtual machine in which this product is running in order to create a certificate.
Example
The following example shows the command for setting a certificate with an expiration period of 20 years (-days 7300) for a virtual machine (in which this product is running) with an IP address of 192.0.2.10.
Edit the openssl.cnf file, and add for the IP address of this product or host name (FQDN).
Define the “req_extensions = v3_req” in the [ req ] section.
[ req ] req_extensions = v3_req
Define the ”subjectAltName = @alt_names” in the [ v3_req ] section.
[ v3_req ] subjectAltName = @alt_names
Define the [ alt_names ] section, and IP address in the section.
If defining host name (FQDN), define it in the format “DNS.1 = “.
[ alt_names ] IP.1 = 192.0.2.10
Execute the following command with the edited openssl.cnf file specified to create a certificate.
>..\bin\openssl.exe req -extensions v3_req -sha256 -new -x509 -nodes -newkey rsa:2048 -out server.crt -keyout server.key -days 7300 -config openssl.cnf <RETURN> Generating a 2048 bit RSA private key ..+++ ....................................................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:<RETURN> State or Province Name (full name) []:<RETURN> Locality Name (eg, city) [Default City]:<RETURN> Organization Name (eg, company) [Default Company Ltd]:<RETURN> Organizational Unit Name (eg, section) []:<RETURN> Common Name (eg, your name or your server's hostname) []:192.0.2.10<RETURN> Email Address []:<RETURN>
Specify the name of the crt file to be generated.
Specify the name of the key file to be generated.
Specify the period for which the certificate is valid.
This option is counted from the date when the command is executed. Enter a sufficiently long number of days, up to January 19th, 2038.
Specify the openssl.cnf.
Item | Required? | Description |
|---|---|---|
Country Name | Optional | The two-letter abbreviation for your country (ISO-3166) |
State or Province Name | Optional | The state or province where this product is located |
Locality Name | Optional | The city where this product is located |
Organization Name | Optional | The exact legal name of your organization |
Organizational Unit Name | Optional | Optional for additional organizational information |
Common Name | Required | Enter the IP address or the host name (FQDN) of the virtual machine in which this product is running. Examples are shown below.
|
Email Address | Optional | Contact E-mail address |
Setting a Certificate
After a certificate has been created, register it in this product.
Transfer the certificate (key file and crt file) that has been created via SFTP to the virtual server in which this product is running.
Transfer destination: /Administrator/ftp
User: sftpadmin
Password: The password set under "Change stpadmin Password" in the Configuration Wizard.
Log in to the console of this product using the administrator account (administrator).
Execute the following command to register the certificate in this product.
# csgadm sslcert set -key /Administrator/ftp/server.key -crt /Administrator/ftp/server.crt
Execute the following command to confirm that the certificate is registered correctly.
# csgadm sslcert show
Execute the following command to restart the HTTP service.
# csgadm service restart fjsvcsgcp-webserver.service
Importing a Certificate
Import the certificate to the web browser that you are using. Refer to "A.3 Support List" for details about the supported web browsers. Follow the procedure for the web browser you are using to import the certificate.
Information
You can use the following procedure to export the SSL server certificate that is registered in this product.
From the console, log in to the virtual machine as the administrative user in which this product is running.
Execute the following command.
# csgadm sslcert export -dir /Administrator/ftp
You can use SFTP to download the SSL server certificate that you have exported.
Use the following procedure to set the HTTPS port number.
You do not need to perform this procedure if you use the default HTTPS port number (9856).
From the console, log in to the virtual machine as the administrative user in which this product is running.
Execute the following command to set the HTTPS port number.
Set a number in the range from 5001 to 9999.
# csgadm service modify -port portNumberExample
The following example shows the command for changing the port number to 5001.
# csgadm service modify -port 5001
After executing the command in step 2, you are asked if you want to reboot the system. Select "y" to reboot the system.