Third-Party Certificate

This method uses a certificate generated by a recognized third-party certificate authority (CA) to encrypt the HTTPS connection. Unlike the self-signed certificate method, third-party certificates generally require an annual fee; however, they are trusted by web browsers.

The process has five main stages:

  1. The installer generates a private/public encryption key pair and certificate signing request for their domain.
  2. The installer submits the certificate signing request to the certificate authority.
  3. The certificate authority provides a validation file which is loaded onto the controller.
  4. The certificate authority validates the domain and provides the certificate.
  5. Finally, the installer converts the certificate format (if necessary) and installs the certificate onto the controller.

Requirements for Third-Party Certificates

  • The controller must be exposed to the internet via external port 80.

  • The controller must be externally accessible via a hostname.

    Either static IP or DDNS (see Setting Up Integrated DDNS) can be used to assign this hostname.

  • The operator must renew the certificate whenever it expires.
  • Different certificate authorities may have different requirements. For example, some CAs do not require manual validation of domain names, allowing you to skip the certificate authentication stage. It is recommended that you carefully note all requirements for your chosen CA before beginning.

If you need help when obtaining and loading a third-party certificate, consult your IT support. ICT Technical Support cannot assist with this process.

Creating a Private Key and Certificate Signing Request

To begin, it is necessary to generate the private/public encryption key pair which will be the basis for the HTTPS encryption. The public key will be integrated into a certificate signing request which will be submitted to the CA.

The following instructions will use the free OpenSSL utility. The latest version of OpenSSL for Windows can be downloaded from this page.

  1. Download and install the OpenSSL utility.
  2. Navigate to the installation directory, open the bin folder, locate the openssl executable and run it as an administrator. This will open the OpenSSL command prompt.
  3. To generate the key pair, enter the following command, replacing [name] with your desired filenames:
    4. req -newkey rsa:2048 -keyout [name].key -out [name].csr

    This generates a new 2048-bit private key (.key file) and certificate signing request (.csr file). The files should appear in the current OpenSSL directory.

  4. Enter a passphrase for the private key. This is a phrase used to encrypt the private key to protect it against anyone with access to your local system. It will be required whenever the private key is used.

    5. Note that passphrase characters will not be displayed in the console. Only alphanumeric characters are supported for the passphrase.

  5. Enter your location and identity information as requested. These details will be incorporated into your certificate and publicly viewable from the web browser.

    6. Ensure that the Common Name is the same as the Domain Name which is being used for the controller.

    Some details are optional. Confirm with your CA which fields are required.

  6. Save both files in a safe, known location, as both are required for the following steps. It is especially important that the private key is not publicly accessible.

Purchasing a Certificate

Below are very basic instructions for purchasing a third-party certificate from a CA. Every CA will have different processes and requirements - this is only intended to be a rough guide to what is required for implementation on a controller.

  1. Begin the process of generating a certificate from a recognized CA such as:

    • GoDaddy: https://nz.godaddy.com/web-security/ssl-certificate
    • Network Solutions: https://www.networksolutions.com/
    • RapidSSL: https://www.rapidsslonline.com/

    It is important that you select File-Based or HTTP-based Validation (or equivalent) when asked to choose an authentication/validation method. You will require a .txt file to upload to the controller.

  2. When prompted, upload the text of your Certificate Signing Request (.csr).

  3. Follow the CA's instructions to complete the request. You should be prompted to download a .txt validation file.

    DO NOT change the name or contents of this file.

Authenticating the Certificate

The .txt file that you received in the previous steps must be uploaded to a known directory on your domain (in this case, the controller) so that it can be viewed by the CA. This verifies that you are the owner of the domain in question.

  1. Access the controller's web interface by typing its IP address into the address bar of a web browser, then log in with your username and password.
  2. Navigate to the System Settings.
  3. In the General tab, select the Use HTTPS checkbox (if not already enabled).
  4. Enter an appropriate HTTPS Port. The default is port 443, which is commonly used for this purpose. You should retain the default port unless you are required to use another port by your system administrator.
  5. Click Load Validation File and browse to the .txt validation file to load it onto the controller.
  6. Open the Adaptor - Onboard Ethernet tab. Enter the controller's domain name in the Controller Hostname field.
  7. Confirm that the file is publicly accessible by using another machine to navigate to [domainname]/.wellknown/pki-validation/[filename].txt. You should be able to view the content of your validation file.

Once the CA has verified that your domain is accessible, you will be sent the signed certificate. Wait times can vary between providers, but will typically take from one hour to several hours.

Converting the Certificate Format

The controller requires a file with the .pfx extension. Your CA may have provided a different file type, potentially several files such as a certificate (e.g. .cer, .crt or .pem) and an intermediate certificate. These must be combined with the private key generated with your certificate request to create a .pfx file. The following instructions will use the OpenSSL utility installed above.

  1. Navigate to the installation directory, open the bin folder, locate the openssl executable and run it as an administrator. This will open the OpenSSL command prompt.
  2. Export your certificate as a .pfx file using the following command, replacing [name] with your filenames:
    3. pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -out [name].pfx -inkey [name].key -in [name].[cer/crt/pem]

    Replace [cer/crt/pem] with the extension on your certificate file as required.

    Always include the -certpbe, -keypbe and -nomac arguments so that the certificate is encrypted in a way that the controller can interpret. This does not affect the encryption of the HTTPS connection.

    Note: If you have been provided with an intermediate certificate you must include intermediate certificates by appending to the end of the command: -certfile [intermediatename].[cer/crt/pem] as shown below.

    pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -out [name].pfx -inkey [name].key -in [name].[cer/crt/pem] -certfile [intermediatename].[cer/crt/pem]

    Android devices will fail to connect if intermediate certificates are not included in the certificate loaded onto the device.

  3. Enter the passphrase for the private key (set above) to continue.

    4. Note that passphrase characters will not be displayed in the console.

  4. Enter an export password when requested. This will be required when installing the certificate on the controller.
  5. This process will generate a [name].pfx file in the current OpenSSL directory. This is your third-party certificate. Store this file in a safe, known location.

Installing the Certificate on the Controller

  1. Log in to the controller's web interface and navigate to the System Settings.
  2. Scroll to the Certificate File section. Click Install Certificate and browse to the .pfx certificate file to install it on the controller.
  3. Enter the export password that you created when generating the certificate file.
  4. Click Save, then restart the controller using the button on the top right to implement the new settings.

    5. Once the restart process is complete, the controller will restart but the web page will not automatically refresh.

  5. Browse to the controller web page by adding the prefix https:// to the beginning of the IP address or URL.

A lock or similar icon in the browser toolbar should indicate that the connection is secure. Click on this icon to see details about the certificate, including the information you entered in the certificate signing request.