6.9.2. Procedure – Uploading external certificates to PSM

Purpose: 

Upload a certificate generated by an external PKI system to PSM.

Prerequisites: 

The certificate to upload. For the TSA X.509 Certificate and Server X.509 Certificate, the private key of the certificate is needed as well. The certificates must meet the following requirements:

  • PSM accepts certificates in PEM format. The DER format is currently not supported.

  • PSM accepts private keys in PEM (RSA and DSA), and PUTTY format. Password-protected private keys are also supported.

    Note

    PSM accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>[email protected][\]^-`{|}

    For the internal CA certificate of PSM, uploading the private key is not required.

  • For the TSA certificate, the X509v3 Extended Key Usage attribute must be enabled and set to critical. Also, its default value must be set to Time Stamping.

  • For the Server certificate, the X509v3 Extended Key Usage attribute must be enabled and its default value set to TLS Web Server Authentication. Also, the Common Name of the certificate must contain the domain name or the IP address of the PSM host. If the web interface is accessible from multiple interfaces or IP addresses, list every IP address using the Subject Alt Name option.

  • For the certificate used to sign audit trails, the X509v3 Extended Key Usage attribute must be enabled and its default value set to TLS Web Server Authentication.

Balabit recommends using 2048-bit RSA keys (or stronger).

Steps: 

  1. Navigate to Basic Settings > Management > SSL certificate.

  2. Click to upload the new certificate. A pop-up window is displayed.

    Figure 6.27. Basic Settings > Management > SSL certificate — Uploading certificates

    Basic Settings > Management > SSL certificate — Uploading certificates

    Select Browse, select the file containing the certificate, and click Upload.

    For the Server X.509 Certificate: 

    For the Server X.509 Certificate, you can also upload a certificate chain. For that, copy the certificates after each other in a single file. Alternatively, you can copy and paste the certificates one by one after each other into the Certificate field and click Set. The certificates do not have to be in order, PSM will order them and validate the chain: if a member of the chain is missing, an error message is displayed.

    Note

    Certificate chains are supported only for the Server X.509 Certificate.

  3. To upload the private key corresponding to the certificate, click icon. A pop-up window is displayed.

    Figure 6.28. Basic Settings > Management > SSL certificate — Uploading the private key

    Basic Settings > Management > SSL certificate — Uploading the private key

    Select Browse, select the file containing the private key, provide the Password if the key is password-protected, and click Upload. Alternatively, you can also copy-paste the private key into the Key field, provide the Password there, and click Set.

    In case of a certificate chain, the private key has to be the same as the bottom level certificate.

    Expected result: 

    The new certificate is uploaded. If you receive the Certificate issuer mismatch error message after importing a certificate, you must import the CA certificate which signed the certificate as well (the private key of the CA certificate is not mandatory).

    Note

    To download previously uploaded certificates, click on the certificate and either download the certificate (or certificate chain) in one single PEM or DER file, or you can download single certificate files separately (if it is a certificate chain).