Skip to main content
Skyhigh Security

Replace the Default Root Certificate Authority

You can replace the default root certificate authority that is provided after the initial setup for signing the certificates that the appliance sends to its clients by a certificate authority of your own.

You can create a new root certificate authority on the user interface or import one from your file system.

Create a root certificate authority

You can create a root certificate authority (CA) for signing the certificates the appliance sends to its clients and use it instead of the default certificate authority.

  1. Select Policy | Settings.
  2. On the Engines branch of the settings tree, go to SSL Client Context with CA and select the settings you want to use the new certificate authority for.
  3. Click Generate New.

    The Generate New Certificate Authority window opens.
     
  4. In the Organization and Locality fields, type suitable information for your own certificate authority.
  5. [Optional] In the Organizational unit and State fields, type suitable information. From the Country list, select a country.
  6. In the Common name field, type a common name for your own certificate authority.
  7. [Optional] In the Email address field, type an email address of your organization.
  8. From the Valid for list, select the time that your certificate authority should be valid.
  9. [Optional] In the Comment field, type a plain-text comment on the certificate authority.
  10. Click OK.

The new certificate authority is generated.

  1. Click Save Changes.

 

Import a root certificate authority

You can import a root certificate authority (CA) for signing the certificates the appliance sends to its clients and use it instead of the default certificate authority.

  1. Select Policy | Settings.
  2. On the settings tree, select SSL Client Context with CA and click the settings you want to use the imported certificate authority for.
  3. Click Import.

The Import Certificate Authority window opens.

  1. Enter the name of the certificate authority file in the Certificate field by clicking Browse and browsing to a suitable file.

The file must be encoded in PEM (Privacy-enhanced mail) format.

  1. Enter the name of the certificate key file in the Private key key field by clicking Browse and browsing to a suitable file.

The file must be encoded in PEM format. The key must have a length of at least 2048 bit. 

  1. [Conditional] If the private key is protected by a password, type it in the Password field. Along with unencrypted keys, importing the following key types is supported:
    • AES-128-bit encrypted
    • AES-256-bit encrypted
    • PEM(BASE64-text)-encoded certificates and private key (one per file)
    • multiple PEM(BASE64-text)-encoded certificates for certificate chains
  2. [Conditional] If the certificate authority is part of a certificate chain and you want to provide information on this chain with the certificate, enter the name of the file containing the information in the Certificate chain field by clicking Browse and browsing to a suitable file.

The file must be encoded in PEM format.

  1. Click OK.

The certificate authority is imported.

  1. Click Save Changes.
  • Was this article helpful?