EV Reach Gateway Service - SSL/TLS Certificates

Last modified on 2023/07/12 14:03
Contents

The EV Reach Gateway Service can be secured with an SSL/TLS certificate for server verification when connecting to systems that are outside of your organizations. This security prevents MITM "Man in the middle attacks" that may occur during internet based sessions.

  • You may import your own certificates if you already have them.
  • If you have deployed any external agents they will need to be reinstalled manually after you enable TLS on the server.
     

You may purchase a new certificate from any certificate authority. Generally you will need to follow the same steps.

  1. Purchase the certificate.
  2. Generate a CSR and Private key from the server that is running the Reach Gateway Services.
  3. Downloading your certificate from your Certificate Authority
  4. Convert the key and certificate to PFX format. (Optional but recommended).
  5. Import the certificate to the Reach Server.

Purchasing a certificate

You may purchase the certificate from any major certificate authority. Please make sure that the certificate is issued to the DNS name you will be using for the gateway services. For example:

DNS name for Reach Gateway Service is REACH.CONTOSO.COM <- Your certificate must cover this domain. Wildcard certificates are supported (*.contoso.com)

Generating the CSR and Private Key from your server

We recommend using the openssl command to all the certificate work needed. You can download and install OpenSSL for Windows here.

Note: Download OpenSSL 3 Light for Windows.

Use the following command to generate your CSR and Private Key

"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" req -new -newkey rsa:2048 -nodes -keyout C:\private_key.key -out C:\CSR.csr -config "C:\Program Files\OpenSSL-Win64\bin\cnf\openssl.cnf"

This command will start prompting for information such as Company Name, State, etc...

You will have two files:

  1. C:\private_key.key  ==>  Keep this safe and do not give it to anyone.
  2. C:\CSR.csr  ==>  You will provide this when asked by your Certificate Authority

Downloading your certificate from your Certificate Authority

After uploading your CSR file to your Certificate Authority, you will be asked to choose the format for the certificate. Please select APACHE as the type.

You will receive two files from your provider:

  1. Your certificate file issued to your server name.
  2. The Certificate Authorities certificate chain file.

Copy those files to the EV Reach Server.

Verifying Key / Certificate Key match:

Run the following commands to make sure that the key and the certificate match. If the MD5 sum is the same in both outputs then the you have a match.

"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" rsa -modulus -noout -in C:\private_key.key | "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" md5
"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" x509 -modulus -noout -in C:\ServerCert.crt | "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" md5

Convert the Key and Certificate to PFX format (Optional but recommended)

Note: EV ReachServer 3.70.1 and higher do not support PFX files created with OpenSSL 1. You must use OpenSSL 3 to create PFX files for EV Reach Server 3.70.1 and above.PFX Files created with OpenSSL 3 are backwards compatible with previous versions of the EV Reach Server.

EV Reach supports multiple certificate/key file combinations, however it is recommended that a PFX file is used as it contains the full chain of certificates required by the Reach Gateway and the private key in one encrypted file.

To convert the key file, certificate chain file and server certificate, use the following openssl command.

"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -export -out C:\ServerCert.pfx -nodes -inkey C:\private_key.key -in C:\ServerCert.crt -certfile C:\CA_Bundle.crt

You will be asked to create a password and confirm it. This password will be required when configuring the Reach Gateway Service.

Importing the Certificate to the Reach Gateway Service

Once the PFX file is generated or you have the crt / key file combination, you can click "Secure with Certificate" on the EV Reach Gateway Service screen.

Reach-Gateway-Adding-Certificate.png

You will be prompted to change the port to 443 if you like. It is recommended for the least amount of external firewall issues. Please ensure that your firewall is provisioned to forward the appropriate port.

The gateway service will restart and begin requiring TLS for all connections.

If you have deployed any external agents they will need to be reinstalled manually.

Tags:
Powered by XWiki © EasyVista 2022