Enabling SSL on a Domain Controller

If you plan to use Microsoft Enterprise Root CA to automatically assign all your domain controllers SSL certificate, you must perform the following steps to enable SSL on each domain controller if you have not previously done so.

1	Install a Microsoft Enterprise Root CA on a Domain Controller.

a	Select Start - Control Panel - Add or Remove Programs.

b	Select Add/Remove Windows Components.

c	In the Windows Components Wizard, select the Certificate Services check box.

d	Select Enterprise root CA as CA Type and click Next.

e	Enter Common name for this CA, click Next, and click Finish.

2	Enable SSL on each of your domain controllers by installing the SSL certificate for each controller.

a	Click Start - Administrative Tools - Domain Security Policy.

b	Expand the Public Key Policies folder, right-click Automatic Certificate Request Settings and click Automatic Certificate Request.

c	In the Automatic Certificate Request Setup Wizard, click Next and select Domain Controller.

Click Next and click Finish.

To export the CA certificate:

1	Within the Windows operating system, open the Certificate Authority management tool: Start - All Programs - Administrative Tools - Certificate Authority.

2	You may view properties of the certificate authority by right clicking on the authority in the tree view and selecting Properties. The CA Properties dialog box will open.

3	Click the General tab and the View Certificate button to open the Certificate dialog box.

4	Click the Details tab then the Copy To File button. The Certificate Export Wizard will open.

5	Click Next to begin using the wizard.

6	On the Export File Format screen select the Base-64 encoded X.509 (.CER) radio button and press the Next button.

7	On the File To Export screen enter or browse to a filename and path for the exported certificate. Press the Next button.

8	Press the Finish button.

The resulting certificate file is properly formatted and readable by OpenSSL.

The Tools panel within the Remote Console Switch Client Software allows the user to upload a CA certificate to the Remote Console Switch. This tool is only available when LDAP Authentication is enabled on the Authentication Panel of the appliance's MP.

In general, it will be necessary to upload the CA certificate only once; however, it will have to be uploaded again if the certificate is revoked, if it expires, or if "Restore Factory Defaults" is selected from the serial console menu.

NOTE:

The instructions above are written for a Microsoft CA certificate. For other CA’s, please check with the CA vendor.

NOTE:

The Network Time Protocol (NTP) must be enabled for LDAPS to function.

Figure 5‑21. Send Security Certificate

After sending the Security Certificate to the Remote Console Switch, the following window displays.

Figure 5‑22. Send certificate dialog box

Button	Description
Browse	Browse to a certificate file by opening a File Chooser dialog and allowing a user to choose a certificate file.
Send	Sends the certificate to the Remote Console Switch
Cancel	Closes the dialog.
Help	Displays help for Send Certificate Key Dialog.

The Remote Console Switch Client Software allows you to browse to a certificate and open it. Once the certificate is open and its contents displayed, the user can then send the certificate to the appliance.

Field	Description
File	Path and name of the certificate file opened with the browse (File Chooser) button.
Subject	Subject of the opened certificate.
Issuer	Person or entity that issued the certificate.
Validity Period	Period that the certificate is valid for.
Serial Number	Serial number of the certificate.
SHA-1 Thumbprint	SHA-1 Thumbprint derived from the certificate.
MD5 Thumbprint	MD5 Thumbprint derived from the certificate.