The IDERA Dashboard Web Application service comes with TLS1.2 already set up. By default, TLS works with a self-signed certificate. This certificate can be used for encryption only and does not prove the identity of the server.
That default certificate is not signed by any well-known Certification Authority (CA), and is intended only for use in testing purposes. When a user attempts to open the TLS version of the IDERA Dashboard Web interface, a warning appears in the browser window.
If you decide to continue working with this self-signed certificate , you must perform several steps to "accept" the certificate before you can access the site. This step usually occurs only the first time you access the site. Then the self-signed certificate is stored in the browser database marked as trusted. This scenario is suitable for testing purposes.
If you want to obtain a CA-signed certificate , use the steps below to obtain a certificate signed by a well-known CA. The role of a CA is to verify that the IDERA Dashboard Web Application you are trying to access actually has the name you are trying to access it by, and that this server actually belongs to your organization.
Certificates are issued by trusted third-party Certification Authorities (CAs). Many CAs simply verify the domain name and issue the certificate, whereas others (VeriSign, etc.) verify the existence of your business, the ownership of your domain name, and your authority to apply for the certificate, providing a higher standard of authentication.
Every browser comes with a pre-defined list of well-known CAs. You can find a sample list of CAs at http://www.dmoz.org/Computers/Security/Public_Key_Infrastructure/PKIX/Tools_and_Services/Third_Party_Certificate_Authorities/.
Along with the name of your organization and the name of your server, a CA-signed certificate contains the public key of the server. This public key is used by the browser to encrypt data sent to the server. There is a private key on the server. The server uses the private key to decrypt the data encrypted by the public key. The private key should be kept secure on the server to prevent unauthorized access.
For more information about public key cryptography, see http://en.wikipedia.org/wiki/Public-key_cryptography. To learn more about certificates and steps to buy a certificate, refer to a CA website such as:
Before the CA can issue you the certificate, you should generate private key and the certificate request and send it to the CA for signing. The certificate request and the private key should be generated using the
openssl command unless otherwise instructed by the CA.
While generating the private key and certificate request, replace the
The following steps show you how to install a SSL certificate purchased from a Certification Authority. Your SSL vendor may have different instructions, please check with them for proper certificate installation. The following examples refer to GoDaddy and VeriSign.
To enable a certificate, use the Java keytool - a key and certificate management utility. The keytool stores the keys and certificates in a so-called keystore.
It is assumed that you have both the private key file and certificate file in the PEM format and OpenSSL tool for Windows is installed into. It is also assumed that the private key file is called
wildcard.idera.com.key and the certificate file is called
wildcard.idera.com.crt and both are on disk
C, in the root directory.
You can download OpenSSL for Windows installation package from http://gnuwin32.sourceforge.net/packages/openssl.htm.
cd\commands to go to the root directory of the disk C, where the key and certificates are located.
C:\OpenSSL\bin\openssl pkcs8 -topk8 -nocrypt -in wildcard.idera.com.key -inform PEM -out wildcard.idera.com.key.der -outform DER
C:\OpenSSL\bin\openssl x509 -in wildcard.idera.com.crt -inform PEM -out wildcard.idera.com.crt.der -outform DER
cdcommand to go to the directory where the keytool is located.
cd "C:\Program Files\Idera\Dashboard\WebApplication\JRE\bin\"
Run the following command. It will launch the ImportKey utility and create the keystore file (default name is keystore.ImportKey) in your home directory (in Windows 2008 it is usually
C:\Users\<your username>). The private key and the certificate will be placed there.
java ImportKey c:\wildcard.idera.com.key.der c:\wildcard.idera.com.crt.der
The keystore and key passwords both must be set to password.
keytool -storepasswd -keystore c:\Users\Administrator\keystore.ImportKey
keytool -keypasswd -alias importkey -ketstore c:\Users\Administrator\keystore.ImportKey
Import the received trusted certificate into your keystore file.
keytool -import -alias intermed -file c:\sf_issuing.crt -keystore c:\Users\Administrator\keystore.ImportKey -trustcacerts
Internet Explorer may change the file extension. If the command above does not work, try
keystore.old. Then rename the file
-importcommand. Subsequent keytool commands must use this same alias to refer to the entity.
-keystoreoption for specifying the name and location of the persistent keystore file for the keystore managed by keytool. A keystore is created when you use
-importcommand to add data to a keystore that does not already exist. If you do not specify a
-keystoreoption, the default keystore is a file named
.keystorein your home directory (as determined by the "user.home" system property). If that file does not already exist, it will be created.
Read more about Java keytool for Windows: