/
About HTTPS Certificates
Document toolboxDocument toolbox

About HTTPS Certificates

Owned by Naveen J Oommen
Jan 08, 2025
6 min read

This section covers the following:

The NIOS appliance generates a self-signed certificate when it first starts. A self-signed certificate is signed by the subject of the certificate, and not by a CA (Certificate Authority). This is the default certificate. When your computer first connects to the NIOS appliance, it sends this certificate to authenticate itself to your browser.
Because the default certificate is self-signed, your browser does not have a trusted CA certificate or a cached NIOS appliance server certificate (saved from an earlier connection) to authenticate the NIOS appliance certificate. Also, the hostname in the default certificate is http://www.infoblox.com , which is unlikely to match the hostname of your NIOS appliance. Consequently, messages appear warning that the certificate is not from a trusted certifying authority and that the hostname on the certificate is either invalid or does not match the name of the site that sent the certificate. Either accept the certificate just for this session or save it to the certificate store of your browser.
To eliminate certificate warnings, you can replace the default self-signed certificate with a different certificate that has the hostname of your NIOS appliance. The NIOS appliance supports X.509 certificates in .PEM format. After the initial login, you can do one of the following:

  • Generate another self-signed certificate with the correct hostname and save it to the certificate store of your browser.

  • Request a CA-signed certificate with the correct hostname and load it on the NIOS appliance. For more information, see Generating Certificate Signing Requests below.

  • When you receive the certificate from the CA, upload it to the appliance. Additionally, you can upload a certificate along with the private key, as described in Uploading HTTPS Certificates below.

  • Download the certificate from a trusted CA, as described in Downloading Certificates.

Generating Self-Signed Certificates

You can replace the default certificate with a self-signed certificate that you generate. When you generate a
self-signed certificate, you can specify the correct hostname and change the public/private key size, enter valid dates and specify additional information specific to the NIOS appliance. If you have multiple appliances, you can generate a certificate for each appliance with the appropriate hostname. You can generate a self-signed certificate using either the SHA-1 or SHA-256 (SHA-2) hash algorithm. 

To generate a self-signed certificate:

  1. Grid: From the Grid tab, select the Grid Manager tab -> Members tab -> member checkbox, and then click Certificates -> HTTPS Cert -> Generate Self-signed Certificate from the Toolbar. In a Grid, ensure that you select the Grid Master when generating a self-signed certificate.

  2. In the Generate Self-Signed Certificate dialog box, complete the following:

    • Secure Hash Algorithm and KeySize: You can select one of the following: SHA-1 with a RSA key size of 1024 or 2048, SHA-256 (SHA-2) with a RSA key size of 2048 or 4096, SHA-384 with a RSA key size of 2048 or 4096, SHA-512 with a RSA key size of 2048 or 4096. The default value is SHA-256 2048.
      Note that if your Grid includes a reporting server, ensure that you DO NOT select a key size of 4096 bit for SHA-256. Otherwise, reporting might not function properly because Java does not support SHA-256 with a 4096 key size..

    • Days Valid: Specify the validity period of the certificate.

    • Common Name: Specify the domain name of the NIOS appliance. You can enter the FQDN (fully qualified domain name) of the appliance.

    • Organization: Enter the name of your company.

    • Organizational Unit: Enter the name of your department.

    • Locality: Enter a location, such as the city or town of your company.

    • State or Province: Enter the state or province.

    • Country Code: Enter the two-letter code that identifies the country, such as US.

    • Admin E-mail Address: Enter the email address of the appliance administrator.

    • Comment: Enter information about the certificate.

    • Subject Alternative Name: You can specify Subject Alternative Names (SAN) in order to secure additional hostnames across different domains or subdomains. You can add the following entries to be included as SAN extension to self-signed certificate: DNS, Email, IP Address, and URI. Click the Add icon and Grid Manager adds a row to the table. Click the row and select the entry from the drop-down list, and then enter the value for the SAN entry. You can add up to 30 entries. To remove an entry from the list, select the SAN entry, and then click the Delete icon.
      For Google Chrome version 58 and later, Firefox version 101.0 and later, Safari in iOS 13 and macOS 10.15, and some other browsers, it is mandatory to enter the subject alternative name.

  3. Click OK.

  4. If the appliance already has an existing HTTPS certificate, the new certificate replaces the existing one. In the Replace HTTPS Certificate Confirmation dialog box, click Yes. The appliance logs you out, or you can manually log out. When you log in to the appliance again, it uses the new certificate you generated.

Generating Certificate Signing Requests

You can generate a CSR (certificate signing request) that you can use to obtain a signed certificate from your own trusted CA. Once you receive the signed certificate, you can import it in to the NIOS appliance, as described in this page.

To generate a CSR:

  1. Grid: From the Grid tab, select the Grid Manager tab -> Members tab -> member checkbox, and then click Certificates -> HTTPS Cert -> Create Signing Request from the Toolbar.

  2. In the Create Certificate Signing Request dialog box, enter the following:

    • Secure Hash Algorithm and KeySize: You can select one of the following: SHA-1 with a RSA key size of 1024 or 2048, SHA-256 (SHA-2) with a RSA key size of 2048 or 4096, SHA-384 with a RSA key size of 2048 or 4096, SHA-512 with a RSA key size of 2048 or 4096. The default value is SHA-256 2048.

    • Common Name: Specify the domain name of the NIOS appliance. You can enter the FQDN of the appliance.

    • Organization: Enter the name of your company.

    • Organizational Unit: Enter the name of your department.

    • Locality: Enter a location, such as a city or town of your company.

    • State or Province: Enter the state or province.

    • Country Code: Enter the two-letter code that identifies the country, such as US.

    • Admin E-mail Address: Enter the email address of the appliance administrator.

    • Comment: Enter information about the certificate.

    • Subject Alternative Name: You can specify Subject Alternative Names (SAN) in order to secure additional hostnames across different domains or subdomains. You can add the following entries to be included as SAN extension to CSR (Certificate Signing Requests): DNS, Email, IP Address, and URI. Click the Add icon and Grid Manager adds a row to the table. Click the row and select the entry from the drop-down list, and then enter the value for the SAN entry. You can add up to 30 entries. To remove an entry from the list, select the SAN entry, and then click the Delete icon.

  3. Click OK.

Uploading HTTPS Certificates

When you receive the certificate from the CA, and import it to the appliance, the NIOS appliance finds the matching CSR and takes the private key associated with the CSR and associates it with the newly imported certificate. The appliance then automatically deletes the CSR. 

You can also upload the certificate along with its private key. When you do so, you do not need to generate a CSR on the NIOS appliance. Before you upload the certificate, Infoblox recommends that you save the certificate on the local disk and set the private key permissions to 600 and owned by root. Note that you might need to set the private key permissions to other values, depending on your business requirements. Also ensure that both the certificate and the private key are in PEM format and in the same upload file, and that the private key is not protected.

If the CA sends an intermediate certificate that must be installed along with the server certificate, you can upload both certificates to the appliance. The appliance supports the use of intermediate certificates to complete the chain of trust from the server certificate to a trusted root CA. This eliminates intermediate certificate security warnings that appear when you open a web browser and try to connect to an Infoblox appliance. For instructions to upload a CA certificate, see below.
To import a HTTPS certificate:

  1. Grid: From the Grid tab, select the Grid Manager tab -> Members tab -> member checkbox, and then click Certificates -> HTTPS Cert -> Upload Certificate from the Toolbar.

  2. Navigate to where the certificate is located and click Open.

  3. If the appliance already has an existing HTTPS certificate, the new certificate replaces the existing one. In the Replace HTTPS Certificate Confirmation dialog box, click Yes.

  The appliance imports the certificate and logs you out. When you log in to the appliance again, it uses the certificate you imported.

Downloading HTTPS Certificates

You can download the current certificate or a self-signed certificate, as described in Generating a Client Certificate below.

To download a certificate:

  1. Grid: From the Grid tab, select the Grid Manager tab -> Members tab -> member checkbox, and then click Certificates -> HTTPS Cert -> Download Certificate from the Toolbar.

  2. Navigate to where you want to save the certificate, enter the file name, and then click Save.