Manualshelf

Installation guide

ManualsBrandsAcano ManualsComputer equipmentSolution
11121314151617181920
Creating and Installing Certificates
Acano solution: Deployment Guide R1.2 76-1006-06-K
Page 17
For Lync Front End Server required for Lync integration so the Lync Front End Server
trusts the Acano solution
XMPP required only if using native Acano clients so that the clients know they have
reached the XMPP server and trust the connection
Web Bridge required only if using WebRTC clients so the browsers know they have
reached the Web Bridge and can use HTTPS on the connection
These can be different pairs or the same pair of files i.e. from 1 to 4 pairs of private key and
certificate files are required.
The certificate can have a .crt, .cer, .pem and .der extension, and the private key needs a .pem,
.der or .key extension. Key files should contain an RSA or DSA key encoded as either PEM or
DER. The certificate file should be an x509 certificate encoded as PEM or DER. File names can
contain alphanumeric, hyphen or underscore characters.
There are several tools for generating CSRs for CAs to sign e.g. openssl, but the MMP also
includes one called PKI (Public Key Infrastructure). Alternatively, the MMP can create self-
signed certificates: these are useful for testing and intranets. The MMP commands are shown in
the next section for the Web Admin Interface, and they can be used again for the other keys and
certificates if you are using different pairs for each service. (The openssl equivalents are in
Appendix C and can be used if you prefer.)
Note: If you self-sign a certificate for one of the Acano components mentioned above, you may
see a warning message that the service is untrusted when you use it. To avoid these messages
you will need to re-issue the certificate and have it signed by a trusted CA: this can be an
internal CA unless you want public access to this component.
3.2 Checking the Web Admin Interface Certificate and Key
If you have previously followed the Acano Server or the virtualized deployment Installation Guide
you will have set up the certificate for the Web Admin Interface. (If you have not, do so now.) To
check the certificate and its matching private key, use the MMP’s PKI commands (see the Acano
solution MMP Command Reference document for a full description).
1. SSH into the MMP and enter the following command which lists PKI files i.e. private keys,
certificates and certificate signing requests (CSRs):
pki list
You should see the webserver.pem and webserver.crt files (or the filenames that you used
instead during installation).
2. Enter the following command which checks whether the specified key and certificate match.
A private key and a certificate are two halves of one usable identity and must match if they
are to be used for a service e.g. XMPP:
pki match <key> <certificate>
pki match webserver.pem webserver.crt
Note: In the rest of this document, commands are shown in black and must be entered exactly
as given. Examples are shown in blue and must be adapted to your deployment appropriately.