We recommend consulting with your security team to determine if a self-signed certificate or a third-party trusted CA is right for your deployment. For an example on how to use a third-party certificate with Teramind, check out this article.
Introduction
In this article we will show you how to generate your own authority certificates via OpenSSL for use with your Teramind On-Premise deployment.
If you are using a network with an Active Directory domains then use Windows Certificate Center instead. In an AD domain, network root certificate can be auto-deployed to all joined stations.
Step 1: Install and run OpenSSL
1. Download latest OpenSSL binaries (There are many websites which offer the binaries. Please do an online search to find one).
2. Run the OpenSSL in admin mode.
OpenSSL is a third-party product developed by the OpenSSL Project. Teramind isn’t associated with the OpenSSL organization or its affiliates and cannot be held responsible for its use. Please use the software at your own risk.
Step 2: Generate the root private key
Run the following command in the OpenSSL command line:
openssl genrsa -out rootCA.key 4096
Step 3: Create a self-signed certificate
Run the following command in the OpenSSL command line:
openssl req -x509 -new -nodes -key rootCA.key -sha512 -days 3650 -out rootCA.pem
You’ll be asked various questions (Country, State/Province, etc.). Answer them how you see fit. The important question to answer though is common-name:
Common Name (eg, YOUR name) []: MyRootCA
Step 4: Install the root certificate on the workstation(s)
You will need to install the root certificate in the trusted certificate repositories of your workstations.
Internet Explorer / Google Chrome
Both IE and Chrome use system certificate store. You can install certificates for these browser from the Windows Certificate Manager:
1. Open Windows Certificate Manager (run certmgr.msc from the command prompt).
2. From the left panel (Certificates - Current User), select Trusted Root Certification Authorities > Certificates.
3. Right-click on Certificates and select All Tasks > Import. Then follow the on-screen instructions to import your certificate.
Firefox
Firefox has its own certificate repository. If you use Internet Explorer or Chrome as well as Firefox, you’ll have to install the root certificate in both the Windows repository and the Firefox repository.
1. Open Firefox and click the Menu icon.
2. Select Settings.
3. Select Privacy & Security from the left-panel.
4. Scroll down until you can see the Certificates section. Click the View Certificates button. A pop-up window will open:
5. Select the Authorities tab.
6. Click the import button and select your certificate. A confirmation dialogue box will open:
7. Enable the Trust this CA to identify websites option.
8. Click the OK button to import the certificate.
Safari (macOS)
1. Double-click the certificate file in Finder.
2. You will be asked to store the certificate in the Login Keychain or System Keychain. To make the certificate available to all users on the system, select the System Keychain. Otherwise, choose the Login Keychain.
3. In Keychain Access, select the System keychain.
4. Select the Root CA certificate you imported which will have a name matching the Common Name of the certificate.
5. Select File > Get Info and expand the Trust section.
6. Change Secure Sockets Layer (SSL) value to Always Trust.
7. When prompted, enter your Mac's admin password and click Update Settings.
Step 5: Create a private key
To create a private key (different from the root CA), run the following command:
openssl genrsa -out onsite.key 4096
Step 6: Generate the certificate signing request
Once the key is created, you’ll generate the certificate signing request. To do so, run the following command:
openssl req -new -nodes -key onsite.key -config csrconfig.txt -out onsite.csr
Here's a sample csrconfig.txt file you can use as a reference:
[ req ]
default_md = sha512
prompt = no
req_extensions = req_ext
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
commonName = onsite.teramind.io
countryName = US
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.0 = onsite.teramind.io
IP.0 = 192.168.0.1
Once that’s done, you’ll sign the CSR, which requires the CA root key. Run the following command to do so:
openssl x509 -req -in onsite.csr -days 3650 -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -extensions req_ext -out onsite.crt -extfile csrconfig.txt
Step 7: Upload the certificates to your Teramind server
Login to your Teramind dashboard and do the following:
1. Click the Gear icon near the top-right corner of the dashboard.
2. Click Settings.
3. Select the Security tab.
4. Under the Host section, in the HOSTNAME field, enter the common-name you used in the previous step (e.g., onsite.teramind.io).
5. Click the SAVE button.
6. Click Select file next to SELECT PRIVATE KEY and upload your onsite.key file.
7. Click Select file next to SELECT PUBLIC KEY and upload your onsite.crt file.
8. Click Select file next to SELECT ROOT CA KEY and upload your rootCA.pem file.
9. Click the VALIDATE KEYS button. If the certificate chain files are valid, the Dashboard will respond with: "Validation is successful. Click here to see details.", and the VALIDATE KEYS button will be replaced by a SAVE KEYS button:
10. Click the SAVE KEYS button to save the keys.