Skip to main content
Version: Axidian CertiFlow 7.0

Service certificates

Create the following TLS/SSL certificates to configure a secure connection to Axidian CertiFlow services:

Server authentication certificate

Create and issue a TLS/SSL certificate to configure a secure connection to the website hosting Axidian CertiFlow. Use the same certificate as the signing certificate to configure the OpenID Connect server.

Certificate requirements

  • Subject must include the Common Name attribute (the Axidian CertiFlow server FQDN).
  • Subject Alternative Name (SAN) must include a DNS Name attribute (the Axidian CertiFlow server FQDN).
    For example: server.domain.loc or a corresponding wildcard entry *.domain.loc.
  • Enhanced Key Usage (EKU) must include the Server Authentication value.

Create a certificate template

Prepare the certificate template. The following procedure details the configuration of a certificate template in Microsoft Certificate Authority (CA).

  1. Open the Microsoft CA web interface (certsrv), right-click Certificate Templates and select Manage.
  2. Copy the built-in Web Server template – right-click the template name and select Duplicate Template.
  3. On the General tab of the template properties window, specify a name for the certificate template. If necessary, specify the certificate validity and renewal period.
  4. On the Request Handling tab, enable the Allow private key to be exported option.
  5. (Optional) On the Cryptography tab, edit the minimum key size.
  6. On the Security tab, specify the server name for the certificate request:
    1. Click AddObject Types, enable the Computers option, and click OK.
    2. Enter the name of the Axidian CertiFlow server and click OK.
  7. In the permissions list, set Allow for the Enroll permission.
  8. Click Apply and OK.
  9. Publish the created certificate template.
    1. In the certsrv console, right-click Certificate Templates and select NewCertificate Template to Issue.
    2. In the Enable Certificate Templates window, select the created template. The template is published in the CA.
  10. Close the certsrv console.

Enroll a certificate

Enroll the TLS/SSL certificate for the workstation where you plan to install the web server. You can either enroll the certificate in the CA or create a self-signed certificate.

The following procedure details how to enroll a certificate in Microsoft CA.

  1. Open the Certificates MMC snap-in (certs.msc) and go to the Certificates (Local Computer) store.
  2. Right-click the Personal folder and select All TasksRequest New Certificate.
  3. In the Certificate Enrollment window, click Next twice and select the certificate template created earlier.
  4. Click the link More information is required to enroll for this certificate. Click here to configure settings to specify additional certificate request details. This opens the certificate properties window.
  5. In the certificate properties window, open the Subject tab.
    1. In the Subject name section, select Common name from the Type list.
    2. Enter the FQDN of the Axidian CertiFlow server and click Add.
    3. In the Alternative name section, select DNS from the Type list.
    4. Enter the FQDN of the Axidian CertiFlow server and click Add.
    5. (Optional) To create a domain wildcard for servers with various hostnames, select DNS from the Type list in the Alternative name section and enter a wildcard domain (for example, *.demo.local). Click Add.
  6. Click OK.
  7. Go to the Private KeyKey Options tab and ensure the Make private key exportable option is enabled. Click OK.
  8. Click Enroll.

The certificate is installed in the local computer's certificate store (CertificatesPersonalCertificates) with the intended purpose of Server Authentication.

Install a certificate on a Linux workstation

To transfer and install the certificate on Linux workstations, export the certificate and split it into a certificate file and a private key file.

  1. Follow the instructions provided in the previous section to enroll the certificate from a CA.

  2. Right-click the certificate and select All TasksExport.

  3. In the Certificate Export Wizard, click Next, select Yes, export the private key, and click Next twice.

  4. Enable the Password option, enter and confirm the password. Click Next.

  5. Select the destination folder for the exported certificate and click Finish.

  6. Split the PFX file into a certificate file and a private key file. Replace PFXFILE with the name of the imported file.

    caution

    When executing the commands, the OpenSSL command line tool prompts you to set a password for the private key file. Leave the file without a password: press Enter twice.

    openssl pkcs12 -in PFXFILE.pfx -nokeys | sed -ne '/-BEGIN CERTIFICATE/,/END CERTIFICATE/p' > SSL.crt
    openssl pkcs12 -in PFXFILE.pfx -cacerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > root-ca.crt
    openssl pkcs12 -in PFXFILE.pfx -nocerts -out SSLencrypted.key
    openssl rsa -in SSLencrypted.key -out SSL.key
    rm SSLencrypted.key

    The SSL.crt file must contain the following:

    -----BEGIN CERTIFICATE-----
    #Your certificate#
    -----END CERTIFICATE-----

Client authentication certificate

The Axidian CertiFlow server can operate as a client for the Axidian CertiFlow Event Log Proxy and Axidian AirCard Enterprise services.

In this case, the Axidian CertiFlow server must have a client authentication certificate to access the services.

Certificate requirements

  • Subject must include the Common Name attribute (the Axidian CertiFlow server FQDN).
  • Enhanced Key Usage (EKU) must include the Client Authentication value.

Create a certificate template

Prepare the certificate template. The following procedure details the configuration of a certificate template in Microsoft Certificate Authority (CA).

  1. Open the Microsoft CA web interface (certsrv), right-click Certificate Templates and select Manage.
  2. Copy the built-in Workstation Authentication template – right-click the template name and select Duplicate Template.
  3. On the General tab of the template properties window, specify a name for the certificate template. If necessary, specify the certificate validity and renewal period.
  4. On the Request Handling tab, enable the Allow private key to be exported option.
  5. (Optional) On the Cryptography tab, edit the minimum key size.
  6. On the Security tab, specify the server name for the certificate request.
    1. Click AddObject Types, enable the Computers option, and click OK.
    2. Enter the name of the Axidian CertiFlow server and click OK.
  7. In the permissions list, set Allow for the Enroll permission.
  8. Click Apply and OK.
  9. Publish the created certificate template.
    1. In the certsrv console, right-click Certificate Templates and select NewCertificate Template to Issue.
    2. In the Enable Certificate Templates window, select the created template. The template is published in the CA.
  10. Close the certsrv console.

Enroll a certificate

Enroll the TLS/SSL certificate for the workstation where you plan to install the web server. You can either enroll the certificate in the CA or create a self-signed certificate.

The following procedure details how to enroll a certificate in Microsoft CA.

  1. Open the Certificates MMC snap-in (certs.msc) and go to the Certificates (Local Computer) store.
  2. Right-click the Personal folder and select All TasksRequest New Certificate.
  3. In the Certificate Enrollment window, click Next twice and select the certificate template created earlier.
  4. Click the link More information is required to enroll for this certificate. Click here to configure settings to specify additional certificate request details. This opens the certificate properties window.
  5. In the certificate properties window, open the Subject tab.
    1. In the Subject name section, select Common name from the Type list.
    2. Enter the FQDN of the Axidian CertiFlow server and click Add.
    3. In the Alternative name section, select DNS from the Type list.
    4. Enter the FQDN of the Axidian CertiFlow server and click Add.
    5. (Optional) To create a domain wildcard for servers with various hostnames, select DNS from the Type list in the Alternative name section and enter a wildcard domain (for example, *.demo.local). Click Add.
  6. Click OK.
  7. Go to the Private KeyKey Options tab and ensure the Make private key exportable option is enabled. Click OK.
  8. Click Enroll.

The certificate is installed in the local computer's certificate store (CertificatesPersonalCertificates) with the intended purpose of Client Authentication.

Install a certificate on a Linux workstation

To transfer and install the certificate on Linux workstations, export the certificate and split it into a certificate file and a private key file.

  1. Follow the instructions provided in the previous section to enroll the certificate from a CA.

  2. Right-click the certificate and select All TasksExport.

  3. In the Certificate Export Wizard, click Next, select Yes, export the private key, and click Next twice.

  4. Enable the Password option, enter and confirm the password. Click Next.

  5. Select the destination folder for the exported certificate and click Finish.

  6. Split the PFX file into a certificate file and a private key file. Replace PFXFILE with the name of the imported file.

    caution

    When executing the commands, the OpenSSL command line tool prompts you to set a password for the private key file. Leave the file without a password: press Enter twice.

    openssl pkcs12 -in PFXFILE.pfx -nokeys | sed -ne '/-BEGIN CERTIFICATE/,/END CERTIFICATE/p' > client.crt
    openssl pkcs12 -in PFXFILE.pfx -cacerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > root-ca.crt
    openssl pkcs12 -in PFXFILE.pfx -nocerts -out clientencrypted.key
    openssl rsa -in clientencrypted.key -out client.key
    rm clientencrypted.key

    The client.crt file must contain the following:

    -----BEGIN CERTIFICATE-----
    #Your certificate#
    -----END CERTIFICATE-----