How to configure SSL for NAM Console 2019

Applies to NAM 2019

The default certificate provided with the NAM Console server installation is self-signed. If your security policy requires that a signed certificate be used for the NAM Console server, you can provide your own certificate issued by a trusted authority. The procedures in this topic describe how.

Starting with NAM 2019, we have a certificate management tool that takes care of the tasks handled by the keytool utility required in earlier releases.

  • If you are running an earlier release (or if your prefer to use a command line tool), see How to configure SSL for NAM Console for keytool procedures.
  • If you are running NAM 2019, select Housekeeping > Maintenance in the NAM Console, select the Certificates tile, and use the new certificate management tool to manage your SSL certificates for the NAM Console.

Overview

  • The uploaded certificate and key information must be encoded in either PKCS12 or Base64 format.
  • If a new SSL certificate is uploaded and you do not provide a private key (in the uploaded file), it is assumed that the current private key is to be used.
  • A new key and certificates become effective after restart.

Creating a certificate signing request (CSR)

A certificate signing request (CSR) is a text file specifying your organization's details and your server’s public key.

  1. Open the NAM Console Certificates tool.
    The Certificates page displays the information on the private key and the server certificates chain.
  2. Click Generate CSR.
    The Generate Certificate Signing Request page displays the certificate fields (host, organization, etc.) and the Certificate Signing Request generated from the contents of those fields.
    • To use the current CSR information unchanged, click Copy to clipboard or Download file.
    • To change the CSR information, update the certificate fields as needed, click Regenerate to update the CSR displayed in the Certificate Signing Request box, and then copy or download the updated CSR.
  3. Use the created CSR file to apply for a signed certificate. Apply to the appropriate Certificate Authority and provide the CSR file.

Importing the certificates from a certificate authority

Most end-user certificates are issued by intermediate certificate authorities, so you have to import not only the certificate reply, but also add a trusted certificate entry for each certificate in the chain: intermediate and root certificate.

  1. Open the NAM Console Certificates tool.

  2. Click Upload certificates to upload certificates from a file. Enter a password if the file has a password.

    • If the file includes a private key, the certificates chain is cleared.
    • If the file does not include a private key, the certificates in the file are added to the chain.

    Supported file formats:

    • PKCS #12
    • PEM (Base64-encoded private keys and certificates)

Generating a self-signed SSL certificate

  1. Open the NAM Console Certificates tool.
    The Certificates page displays the information on the private key and the server certificates chain.
  2. Click Generate certificate.
    The Generate self-signed SSL certificate page displays the certificate fields (host, organization, etc.) you need to generate a self-signed SSL certificate.
  3. Update the certificate fields as needed.
  4. Click Generate to generate a self-signed SSL certificate based on the displayed certificate fields.

Managing the KeyStore password

The KeyStore password is required to upload certificates. If you change the KeyStore password (using keytool), you need to change the NAM Console KeyStore password to match:

  1. Open the config.ini file in your NAM Console installation.
  2. The default NAM Console KeyStore password is specified as:
    jetty.keystore.password=jettypasswd
  3. Change jettypasswd to the new password and save the file.
    To use an obfuscated password, insert OBF: before the obfuscated new password:
    jetty.keystore.password=OBF:yourobfuscatednewpassword