6.8.2. Procedure – Uploading external certificates to PSM

Purpose: 

Upload a certificate generated by an external PKI system to PSM.

Prerequisites: 

The certificate to upload. For the TSA and Server certificate, the private key of the certificate is needed as well. The certificates must meet the following requirements:

  • PSM accepts certificates in PEM format. The DER format is currently not supported.

  • PSM accepts private keys in PEM (RSA and DSA), and PUTTY format. Password-protected private keys are also supported.

    Note

    PSM accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>?@[\]^-`{|}

    For the internal CA certificate of PSM, uploading the private key is not required.

  • For the TSA certificate, the X509v3 Extended Key Usage attribute must be enabled and set to critical. Also, its default value must be set to Time Stamping.

  • For the Server certificate, the X509v3 Extended Key Usage attribute must be enabled and its default value set to TLS Web Server Authentication. Also, the Common Name of the certificate must contain the domain name or the IP address of the PSM host. If the web interface is accessible from multiple interfaces or IP addresses, list every IP address using the Subject Alt Name option.

  • For the certificate used to sign audit trails, the X509v3 Extended Key Usage attribute must be enabled and its default value set to TLS Web Server Authentication.

Balabit recommends using 2048-bit RSA keys (or stronger).

Steps: 

  1. Navigate to Basic Settings > Management > SSL certificate.

  2. Click to upload the new certificate. A pop-up window is displayed.

    Figure 6.21. Basic Settings > Management > SSL certificate — Uploading certificates

    Basic Settings > Management > SSL certificate — Uploading certificates

    Select Browse, select the file containing the certificate, and click Upload. To upload a certificate chain, copy the certificates after each other in a single file. Alternatively, you can also copy-paste the certificate into the Certificate field and click Set.

    To copy-paste a certificate chain, copy and paste the certificates one by one after each other. The certificates do not have to be in order, PSM will order them. The chain is validated: if a member of the chain is missing, an error message is displayed.

    Note

    In the case of the Server certificate, certificate chains are not supported.

  3. To upload the private key corresponding to the certificate, click icon. A pop-up window is displayed.

    Figure 6.22. Basic Settings > Management > SSL certificate — Uploading the private key

    Basic Settings > Management > SSL certificate — Uploading the private key

    Select Browse, select the file containing the private key, provide the Password if the key is password-protected, and click Upload. Alternatively, you can also copy-paste the private key into the Key field, provide the Password there, and click Set.

    In case of a certificate chain, the private key has to be the same as the bottom level certificate.

    Expected result: 

    The new certificate is uploaded. If you receive the Certificate issuer mismatch error message after importing a certificate, you must import the CA certificate which signed the certificate as well (the private key of the CA certificate is not mandatory).

    Note

    To download previously uploaded certificates, click on the certificate and either download the certificate (or certificate chain) in one single PEM or DER file, or you can download single certificate files separately (if it is a certificate chain).