Document toolboxDocument toolbox

Managing Certificates

Owned by Panna .
Oct 03, 2024
5 min read

The NIOS appliance generates a self-signed certificate when it first starts. A self-signed certificate is signed by the subject of the certificate, and not by a CA (Certificate Authority). This is the default certificate. When your computer first connects to the NIOS appliance, it sends this certificate to authenticate itself to your browser.
Because the default certificate is self-signed, your browser does not have a trusted CA certificate or a cached NIOS appliance server certificate (saved from an earlier connection) to authenticate the NIOS appliance certificate. Also, the hostname in the default certificate is www.infoblox.com, which is unlikely to match the hostname of your NIOS appliance. Consequently, messages appear warning that the certificate is not from a trusted certifying authority and that the hostname on the certificate is either invalid or does not match the name of the site that sent the certificate. Either accept the certificate just for this session or save it to the certificate store of your browser.
To eliminate certificate warnings, you can replace the default self-signed certificate with a different certificate that has the hostname of your NIOS appliance. The NIOS appliance supports X.509 certificates in .PEM format.
Because you connect to the Master Grid through the Multi-Grid Master, ensure that you always select the Multi-Grid Master when you perform any of the following tasks:

  • Generate another self-signed certificate with the correct hostname and save it to the certificate store of your browser. For information, see 19282667.
  • Request a CA-signed certificate with the correct hostname and load it on the NIOS appliance. For information, see 19282667.
  • When you receive the certificate from the CA, import it to the appliance, as described in 19282667
  • Download the certificate from a trusted CA, as described in 19282667

Generating Self-Signed Certificat es

You can replace the default certificate with a self-signed certificate that you generate. When you generate a
self-signed certificate, you can specify the correct hostname and change the public/private key size, enter valid dates and specify additional information specific to the NIOS appliance. If you have multiple appliances, you can generate a certificate for each appliance with the appropriate hostname.
To generate a self-signed certificate:

  1. From the Master Grid tab, select the Members tab -> multi-grid_master checkbox, and then click HTTPS Cert -> Generate Self-signed Certificate from the Toolbar.
  2. In the Generate Self-Signed Certificate dialog box, complete the following:
    • Key Size: Select either 2048 or 1024 for the length of the public key.
    • Days Valid: Specify the validity period of the certificate.
    • Common Name: Specify the domain name of the NIOS appliance. You can enter the FQDN (fully qualified domain name) of the appliance.
    • Organization: Enter the name of your company.
    • Organizational Unit: Enter the name of your department.
    • Locality: Enter a location, such as the city or town of your company.
    • State or Province: Enter the state or province.
    • Country Code: Enter the two-letter code that identifies the country, such as US.
    • Admin E-mail Address: Enter the email address of the appliance administrator.
    • Comment: Enter information about the certificate.
  3. Click OK.
  4. If the appliance already has an existing HTTPS certificate, the new certificate replaces the existing one. In the Replace HTTPS Certificate Confirmation dialog box, click Yes. The appliance logs you out, or you can manually log out. When you log in to the appliance again, it uses the new certificate you generated.

Generating Certificate Signing Reques ts

You can generate a CSR (certificate signing request) that you can use to obtain a signed certificate from your own trusted CA. Once you receive the signed certificate, you can import it in to the NIOS appliance, as described in 19282667.
To generate a CSR:

  1. From the Master Grid tab, select Members -> multi-grid_master checkbox.
  2. From the Toolbar, click HTTPS Cert -> Create Signing Request.
  3. In the Create Certificate Signing Request dialog box, enter the following:
    • Key Size: Select either 2048 or 1024 for the length of the public/private key pair.
    • Common Name: Specify the domain name of the NIOS appliance. You can enter the FQDN of the appliance.
    • Organization: Enter the name of your company.
    • Organizational Unit: Enter the name of your department.
    • Locality: Enter a location, such as the city or town of your company.
    • State or Province: Enter the state or province.
    • Country Code: Enter the two-letter code that identifies the country, such as US.
    • Admin Email Address: Enter the email address of the appliance administrator.
    • Comment: Enter information about the certificate.
  4. Click OK.

Uploading Certificate s

When you receive the certificate from the CA, and import it to the appliance, the NIOS appliance finds the matching CSR and takes the private key associated with the CSR and associates it with the newly imported certificate. The appliance then automatically deletes the CSR.
To import a certificate:

  1. From the Master Grid tab, select the Members tab -> multi-grid_master checkbox, and then click HTTPS Cert -> Upload Certificate from the Toolbar.
  2. Navigate to where the certificate is located and click Open.
  3. If the appliance already has an existing HTTPS certificate, the new certificate replaces the existing one. In the Replace HTTPS Certificate Confirmation dialog box, click Yes.

The appliance imports the certificate and logs you out. When you log in to the appliance again, it uses the certificate you imported.

Downloading Certificates

You can download the current certificate or a self-signed certificate. To download a certificate:

  1. From the Master Grid tab, select the Members tab -> multi-grid_master checkbox, and then click HTTPS Cert -> Download Certificate from the Toolbar.
  2. Navigate to where you want to save the certificate, enter the file name, and then click Save.

Managing Intermediate Certificates

If the CA sends an intermediate certificate that must be installed along with the server certificate, you can upload both certificates to the appliance. The appliance supports the use of intermediate certificates to complete the chain of trust from the server certificate to a trusted root CA. This eliminates intermediate certificate security warnings that appear when you open a web browser and try to connect to an Infoblox appliance.
To upload and manage intermediate certificates:

  1. From the Master Grid tab, select the Members tab -> multi-grid_master checkbox, and then click HTTPS Cert -> Manage Intermediate Certificate from the Toolbar.
  2. When the CA Certificate dialog box displays with the list of uploaded CA certificates, you can do the following:
    • Import a certificate by clicking the Add icon. In the Upload dialog box, click Select and navigate to where the certificate is located and click Open, and then click Upload.
    • Remove a certificate by selecting it and clicking the Delete icon.
    • Print the data or export it in .csv format.