Manage the Security Certificate

In this section:

Overview

The EchoSystem Server (ESS) uses SSL to secure the web browser session between the server and users accessing the server. To make the initial installation as simple as possible, ESS ships with a self-signed SSL certificate that enables this secure communication. There are several reasons why you might want to replace this SSL certificate with a more sophisticated one.

You do not want users to see (and click past) the warning that most browsers display. This warning occurs because the browser cannot verify the identity of the certificate's owner. Typical warnings look similar to the ones shown below:
You want to use a certificate authority (CA) of your own choosing or the CA that is required by your institution.

You can manage the certificate at any time, but you are most likely to make changes for one of the reasons listed below.

The existing certificate has expired
Your institution is working with a new CA
You are installing a new ESS

Installing a new certificate consists of these phases:

Create the Certificate Signing Request (CSR), using either the request capability in the ESS or other means (such as making the request on the CA website).
Install the security certificate. Install the certificate.
Restart the ESS.

You may also want to do these processes:

Review existing certificates
Remove a certificate

Create the Certificate Signing Request (CSR)

You can create a CSR using the ESS.

You may also create a CSR in other ways, perhaps via the CA website. If you chose an alternate method (the "CSR Not Generated by ESS" method), you can skip this section and proceed to Install the Security Certificate with your otherwise generated certificate.

A CSR is a cryptographic document that is generated for a specific entity and submitted to a CA for signing. The CSR describes the identity associated with a particular fully-qualified domain name (FQDN). The result of generating and submitting a CSR is a signed certificate that web browsers will be able to recognize as valid for the server that presents it.

After you request the certificate, you will install the security certificate you receive.

You do not have to create a public key or private key yourself when making the CSR. That is done for you as part of this phase.

Procedure

Navigate to System > Certificates (the Show Certificates page).
Click Request Certificate.
You should see the Request Certificate page. Complete the fields.
Click Generate CSR.
Notice that the field to the right of the fields is now populated with your certificate request. The text below the field lists the file location of the CSR. The file location is underlined in the screenshot below.
Click Return.
Send the certificate request to your CA. You can:
- Copy and paste the text from the block above into an email, or
- Send the file to the CA
When you receive the security certificate from the CA, install the security certificate.

Install the Security Certificate

The procedure to install the security certificate differs, depending on these factors:

Was the CSR generated by the ESS or by other means?
Is a root certificate already installed?

The procedure below is divided into phases. Everyone must follow:

Phase 1 - Enter the Intermediate Certificate Text
Phase 2 - Do You Need to Install a Root Certificate?

Depending on the results of phase 2, you will continue with one of the following phases:

Phase 3A - Root Certificate Already Installed
Phase 3B - Install the Root Certificate

Phase 1 - Enter the Intermediate Certificate Text

Do You Have an Account with a CA?

This procedure assumes that you have already set up an account with a CA and purchased a security certificate.

Navigate to System > Certificates (the Show Certificates page).
Click Install Certificate.
Notice that the Install Certificate page is the first page of a wizard. The wizard guides you through the installation procedure.
Click the appropriate radio button, then click Next.
Click Next.
- If you used the ESS to generate your CSR, see ESS-Generated CSR.
- If you generated your Private Key and CSR outside of the ESS, see CSR Not Generated by ESS.

ESS-Generated CSR

Have You Received the Certificate From the CA?

This phase assumes you have received the security certificate from the CA. This is often an email with an attached file that has a .pem or .cer extension (examples: cert.pem or cert.cer).

You will need to open the security certificate during this phase.

You should see the page shown below.
1. Open the email or text file received from the CA.
2. Copy and paste the certificate text into the field, as shown below.
Click Next.

CSR Not Generated by ESS

Do You Have a PKCS12 File?

The procedure assumes you have generated the CSR outside the ESS, perhaps on the CA website. In this case:

You should have received a PKCS12 file from the CA
You clicked the second radio button ("Private Key + Certificate in PKCS12 format") on the previous page

Make sure you know the location of this file and the password for it. You will upload the file in this procedure.

You should see the page shown below.
1. Browse to the PKCS12 file.
2. Enter the password for the PKCS12 file.
Click Next.

Phase 2 - Do You Need to Install a Root Certificate?

If you see the page shown below, you already have a root certificate installed. The intermediate certificate has been installed successfully and you are almost done. Continue with Phase 3A - Root Certificate Already Installed.

If you see the page shown below, you do not have a root certificate installed and must install one. Continue with Phase 3B - Install the Root Certificate.

verify certificate page as described

Phase 3A - Root Certificate Already Installed

Notice the further instructions on this page.
Click Return to Certificates Page.
Restart the ESS.
- The Jetty server has been reconfigured to work with the certificate
- You will need to restart the ESS to allow the server to recognize the new certificate

Phase 3B - Install the Root Certificate

Read and understand the instructions on this page. Typically, you will need to install a root certificate that is linked to the intermediate certificate.
Copy and paste the root certificate text into the field, as shown below.
Click Install Certificate and Test Your Chain.
Look for a success message, as shown below.
Click Return to Certificates Page.
Restart the ESS (instructions below).
- The Jetty server has been reconfigured to work with the certificate
- You will need to restart the ESS to allow the server to recognize the new certificate

Restart the ESS

After you install the new certificate, restart the ESS service or daemon. This allows the server to recognize the new certificate.

Follow the instructions for your platform.

Expect to Wait

After a restart, you may have to wait for a few minutes before the ESS becomes responsive.

Restart ESS on Windows

From the Windows taskbar select Start > Programs > Administrative Tools > Services.
The Services dialog opens.
Select the EchoSystem Server service.
Click Restart. The ESS service restarts on your local computer.

Restart ESS on Linux

Open a terminal prompt.
Type the restart command. Be sure to include the space between the file name and the restart command.
```
sudo /etc/init.d/echosystemserverd.sh restart
```
Notice the status messages showing that the service stops and starts.

Review Existing Certificates

Navigate to System > Certificates.
Hover over the certificate of interest.
Click details.
Notice that details about the certificate appear in the lower part of the page.

Remove a Certificate

Overview

You might remove a certificate when it expires or if your institution changes the CA it uses.

The Certificate is Removed Immediately

The ESS does not ask for confirmation before removing the certificate. However, you can restore a certificate from a backup. A file called backup_<timestamp>.jks is created in the same directory as the keystore whenever the keystore is altered.

Procedure

Navigate to System > Certificates.
Select the certificate to be removed.
Click Remove.
Notice that the certificate is removed from the list.