Configuring HTTPS settings

The HTTPS Configuration page enables you to configure the HTTPS settings for the appliance. This includes:

• Generating server keys and certificate signing requests
• Uploading and signing server certificates
• Uploading a CA certificate bundle to the appliance, or downloading them from the appliance
• Uploading a Certificate Revocation List to revoke access to the appliance

If BMC Discovery is integrated with a Web Authentication (Single Sign On) solution, you need to replace a default Certificate Authority (CA) bundle on BMC Discovery.  

To generate a server key

1. From the main menu, click the Administration icon .
   The Administration page is displayed.
2. From the Security section, click HTTPS.
   The HTTPS Configuration page is displayed.
   
   
   
   
3. Click Generate New Key.
   The Generate Key dialog is displayed.
   
   
   
   

4. Enter relevant information in the editable fields:

   Field Name	Details
   Server Name	Enter the hostname of the appliance if it is standalone. If the appliance is a cluster member, enter the cluster alias, or if an alias has not been set then set its DNS entry.
   Country Code	The two character country code for the country in which the appliance is located, for example GB.
   State or Province	The state or province in which the appliance is located, for example Yorkshire.
   Locality	The locality in which the appliance is located, for example York.
   Company Name	The company name, for example, BMC Software.
   Department	(Optional) The department using the appliance. This field is optional.
   Email Address	(Optional) The email contact for users of this appliance.
   CSR SANs	(Optional) The Subject Alternative Name (SAN) for your Certificate Signing Request (CSR) if you want to specific additional host names for a single SSL certificate. You can add multiple SANs using a space or comma separated list of hostnames. In the case of a cluster, you should enter the hostname of the coordinator, and all cluster members.
   RSA key length	The RSA key length, in bits, that you want to set for the key. Select one from the list: 1024, 2048, or 4096 bits.

   Note

   The values used in the Generate Key dialog must match those used by the certificate authority.

5. When you have entered the required information, click Apply to generate the key.
   The dialog is dismissed and the new server key is saved as $TIDEWAY/etc/https/server.key onto the appliance's file system. A certificate signing request is also generated; it is called server.csr and is saved in the same location.
   When you have a key and a signing request, it must be signed before it can be used. You can do this using one of the following methods:

   • Use a certificate authority—Continue with this procedure.
   • Sign the certificate yourself—See Self signing a server certificate.
6. To download the Certificate Signing Request (CSR), click Download CSR to save the file to your local file system.
7. Send the certificate signing request file to your certificate signing authority for signing.
   When the certificate signing authority has approved the request, they will generate the corresponding certificate and return it as a .crt file.

To upload a server certificate

1. When your certificate signing authority has approved the request and returned a certificate, save the certificate file on your local file system.
2. On the HTTPS Configuration page, click Upload in the Server Certificate row.
3. Click Choose File next to Certificate File and select the server certificate you saved in Step 1 of this procedure.
4. Click Apply.
   The new certificate is uploaded onto the appliance.

To self-sign a server certificate

If you do not use a certificate authority but still require HTTPS access to the appliance, you can use the self-signing feature.

1. Ensure that you have created a server key and certificate signing request on the appliance using the procedure described in to generate a server key.
2. On the HTTPS Configuration page, click Self Sign in the Server Certificate row.
   The server key that you created is signed and saved as a new certificate called server.crt.

To upload or download a CA certificate bundle

The CA certificate bundle that is included by default contains a number of certificates from public certificate authorities. These are usually known as Trusted Root Certificates or Trusted Intermediate Certificates. You can continue to use these or replace them with a certificate bundle from a certificate authority used by your organization. Your system administrator should either tell you whether to use the supplied bundle, or provide you with one supported by your organization.

The default CA bundle is stored on the appliance in the following directory:
/etc/pki/tls/certs/ca-bundle.crt
When the certificate signing authority has approved the request, they will generate the corresponding certificate bundle and return it as a .crt file.

To replace the certificate bundle with one from a certificate authority used by your organization

1. On the HTTPS Configuration page, click Upload in the CA Certificates row.
2. Click Choose File next to CA Certificates File and select the certificate bundle returned by the certificate signing authority.
3. Click Apply.
   The new certificate bundle is uploaded.

To download the existing CA certificate bundle

• On the HTTPS Configuration page, click Download in the CA Certificates row.
  The CA certificate bundle is downloaded to you local file system.

To use a Certificate Revocation List to revoke access to the appliance

You can use a Certificate Revocation List (CRL) to ensure that certificates that have been revoked by the CA can no longer be used to access the appliance. A CRL contains a list of certificates which have been revoked by the CA. You can also add compromised certificates to the CRL.

1. On the HTTPS Configuration page, click Upload in the Certificate Revocation List row.
2. Click Choose File next to CRL and select the CRL to apply.
3. Click Apply.
   The CRL is uploaded and applied.