How to generate an SSL server certificate for ScaleArc using the Microsoft certificate infrastructure
|3.6 and above||How To||MSSQL||SSL|
This article introduces exact instructions for generating a Certificate Signing Request (CSR) using the Microsoft certificate infrastructure, and installing the certificate in ScaleArc. It does not detail how to sign the certificate in the Microsoft CA; that is outside the scope of the article, and is well documented in the Microsoft CA documentation.
First we create a private key and a CSR, using the Windows Management Console Certificate Snap-in and extract the key from the Snap-in. Then we get the CSR signed and extract and submit the key and the signed certificate to ScaleArc.
Create the CSR
- Add the "Certificate Store" Snap-In to the Windows Management Console (MMC.exe) for Local Computer. This is done from File->Add or Remove Snap-ins; choose Certificates and Add, then click OK. Choose Local Computer.
- In the certificate store, choose the Personal folder.
- Right click on the Personal folder and choose All Tasks > Advanced Operations > Create Custom Request.
- A dialog box will open. Click OK to go to the second page.
- Select ‘Proceed without enrollment policy’ and click next.
- Select ‘Legacy key’ from the pulldown menu for the Template, ensure that the Request Format is PKCS#10, and click next.
- Expand the ‘Details’ section and click on Properties.
- Fill in the details for the CSR:
- Under the General tab:
- Friendly name: Choose a user-friendly name to identify your certificate; ScaleArc suggests the server FQDN to aid in keeping track of the CSR and the eventual certificate made from it.
- Description: Anything you want to describe your certificate. This optional field is for your use. ScaleArc recommends you stick to alphanumeric characters in this field.
- Under the Subject tab:
- Choose and Add "Common Name" from the Subject Name menu. For its value enter the FQDN of the machine you are generating this CSR for. It is crucial that this be the Fully Qualified Domain Name of the ScaleArc Cluster’s IP address in your DNS server; Microsoft clients will not connect otherwise.
- Under the Extension tab:
- Expand the Key Usage submenu and add Key Encipherment. Ensure the “Make these key usages critical” box is checked.
- Expand the Extended Key Usage submenu and add Server Authentication. Ensure the “Make the Extended Key Usage critical” box is not checked.
- Under the Private Key Tab:
- Expand the Key Options submenu and:
- Check 'Make private key exportable' (this will be required to export the key so it can be entered into the ScaleArc UI).
- Choose your key size from the pulldown menu. At this time 2048 bits is supported in ScaleArc as the maximum; if your corporation has a standard you should follow it. If not the maximum provides the best security.
- Do not choose ‘Strong private key protection;’ it will make adding the private key to ScaleArc difficult. Instead, ensure that you track down and erase all file copies of the private key except the original (don’t delete the original; you cannot recover it by any means). In Microsoft, the key will remain in the keystores of the system where the CSR was originally generated, so as long as you can see the certificate in your stores, you can delete all file copies safely.
- Expand the Key Type submenu and select ‘Exchange.’
- Click Ok and exit dialog box. Click on Next to go to the next page.
- Expand the Key Options submenu and:
- Under the General tab:
- Save the CSR file. ScaleArc recommends that you name the file “<FQDN>.csr” to help keep track of its contents; you will eventually wish to archive this file under a directory that is named or otherwise indexed to the FQDN and the expiration date of the certificate. You will turn this file over to your CA to be signed with the appropriate certificate chain to be used in your environment. Choose ‘Base 64’ as the file format. Click on ‘Finish.’
Extract the Private Key
- In the MMC Certificate Snap-in, choose Certificate Enrollment Requests, then choose Certificates.
- Under Issued To, select the CN for your request (which should be the FQDN of the frontend IP of the ScaleArc appliance).
- Right click the CSR. Choose All Tasks->Export…
- Click Next to advance to the first page of the Export Wizard.
- Choose ‘Yes, export the private key.’ Click Next.
- Ensure PKCS #12 is chosen (you shouldn’t have any other choice since this is the only format that contains the key) and select ‘Include all certificates in the certification path’ and ‘Export all extended properties.’ As a security measure, you can choose here to delete the private key from the SSL Provider’s keystore, but if you do, do not lose this PKCS #12 file or delete it unless or until you have backed up the key some other way. Remember that a lost key cannot be recovered. Installing the key into ScaleArc is not recommended as a backup. Click Next.
- Microsoft requires a password when the private key is exported from the SSL Provider keystore. Enter it twice to confirm since it is not echoed to the screen. Click Next.
- Enter the filename you wish to name the exported PKCS #12 file. It is recommended you use the Browse option to ensure you know the full path to the certificate file. It is recommended you use the FQDN of the ScaleArc frontend IP address you will use the certificate on. It is recommended you use a unique key for each different IP address.
- Verify the information in the form, and if everything is OK click Finish.
- Use OpenSSL to extract the private key:
openssl pkcs12 –in <filename> –nocerts –nodes -out <filename>.key
Where <filename> is the name you’ve chosen; ScaleArc recommends the FQDN of the frontend IP address of the ScaleArc appliance or cluster.
NOTE: The order of the options for the openssl command above is very important. The -out <filename>.key parameter must come last
|The output file contains the most critical data for the security of your SSL certificate. This key can be recovered at any time from the MMC Certificate Snap-in, unless you chose to delete the key from the SSL Provider keystore as noted above; in that case, the key can be recovered from the PKCS #12 file. For security reasons, you should use the key file created here only to install the key into ScaleArc, then immediately delete it, if you are installing this in production.|
If You Operate Your Own CA, or Information to Provide Your CA
The certificate generation process is extremely straightforward in the Microsoft CA; all of the needed options have been pre-selected during generation of the CSR above. Simply right click the desired signing certificate in the Certification Authority application, choose All Tasks-> Submit New Request, choose the CSR, and choose a filename for the signed certificate. This will output an x509 signed certificate. However, in more modern versions of Windows, you will need to use the certreq command line tool on the CA to generate the certificate. The administrator of your CA will know now to do this. If a template is required, the default Web Template may be used.
If you are using a non-Microsoft CA, then you will need to set the options as you would for a SQL Server certificate. Instructions for doing so in an OpenSSL CA are provided in the companion to this document, which deals with OpenSSL; for other CAs, you will have to refer to the documentation for the CA you are using, and provide the necessary options so that the certificate will have the needed properties to satisfy the Microsoft SQL Client and the Microsoft SSL Provider, which is outside the scope of ScaleArc instructions.
Installing the Certificate and Key in ScaleArc
First, you must extract the certificate from the file you got back from the CA, then you must ensure it is in the correct format, and finally you must follow the instructions in the ScaleArc Admin Guide to install the certificate in ScaleArc.
To extract the certificate from the signed certificate file, use the following OpenSSL command:
openssl x509 -inform der -in <filename>.cer -out <filename>.pem
Where <filename> is the name of the certificate file. By default, the Microsoft CA generates x509 signed certificates in DER format.
At this point you have the signed certificate and the key file; follow the instructions in the ScaleArc Admin Guide to install them into ScaleArc, then enable SSL.
|In order to manage SSL encryption, ScaleArc must have Authentication Offload enabled. To turn this on, choose Clusters on the top line menu, then choose Users & DBs and enable Authentication Offload in the popup menu, then close the menu. If you do not do this, you will receive various messages about the Common Name in the certificate not matching the DNS entry for the IP address the client is accessing; this is because ScaleArc will go into passthrough mode if this option is not turned on for encrypted SSL requests.|
If you are experiencing issues with ScaleArc or with any of its features, please contact ScaleArc Support. We are available 24x7 by phone at 855 800 7225 or +1 408 412 7315. For general support inquiries, you can also e-mail us at firstname.lastname@example.org.
2901 Tasman Drive Santa Clara, CA 95054 | Email: email@example.com