Installing a trusted, externally-signed XClarity Orchestrator server certificate

You can choose to use a trusted server certificate that was signed by a private or commercial certificate authority (CA). To use an externally-signed server certificate, generate a certificate signing request (CSR), and then import the resulting server certificate to replace the existing server certificate.

Procedure

To generate and install an externally-signed server certificate, complete the following steps.

1. Create a certificate signing request and save the file to your local system.
   1. From the XClarity Orchestrator menu bar, click Administration () > Security, and then click Server Certificate in the left navigation to display the Generate Certificate Signing Request card.
      
      
   2. From the Generate Certificate Signing Request (CSR) card, fill in the fields for the request.
      • Two-letter ISO 3166 code for the country or region of origin associated with the certificate organization (for example, US for the United States).
      • Full name of the state or province to be associated with the certificate (for example, California or New Brunswick).
      • Full name of the city to be associated with the certificate (for example, San Jose). The length of the value cannot exceed 50 characters.
      • Organization (company) that is to own the certificate. Typically, this is the legal incorporate name of a company. It should include any suffixes, such as Ltd., Inc., or Corp (for example, ACME International Ltd.). The length of this value cannot exceed 60 characters.
      • (Optional) Organization unit that is to own the certificate (for example, ABC Division). The length of this value cannot exceed 60 characters,
      • Common name of the certificate owner. This must be the hostname of the server that is using the certificate. The length of this value cannot exceed 63 characters.
      • (Optional) Subject alternative names that are added to the X.509 "subjectAltName" extension when the CSR is generated.

        By default, XClarity Orchestrator automatically defines subject alternative names for the CSR based on the IP address and hostname that are discovered by the network interfaces for the XClarity Orchestrator guest operating system. You can customize, delete, or add to these subject alternative name values. However, the subject alternative names must have the fully-qualified domain name (FQDN) or IP address of the server, and the subject name be set to the FQDN.

        The name that you specify must be valid for the selected type.

        • DNS (use the FQDN, for example, hostname.labs.company.com)
        • IP address (for example, 192.0.2.0)
        • email (for example, example@company.com)
        Note

        All subject alternative names that are listed in the table are validated, saved, and added to the CSR only after you generate the CSR in the next step.
2. Provide the CSR to a trusted certificate authority (CA). The CA signs the CSR and returns a server certificate.
3. Import the externally-signed server certificate and the CA certificate to XClarity Orchestrator, and replace the current server certificate.
   1. From the Generate Certificate Signing Request (CSR) card, click Import Certificate to display the Import Certificate dialog.
   2. Copy and paste the server certificate and CA certificate in PEM format. You must provide the entire certificate chain, beginning with the server certificate and ending in the root CA certificate.
   3. Click Import to store the server certificate in the XClarity Orchestrator trust store.
4. Accept the new certificate by pressing Ctrl+F5 to refresh the browser and then re-establishing your connection to the web interface. This must be done by all established user sessions.