ERM certificate management

TLS/SSL certificates are crucial for private information exchange and to validate that the received information has not been altered. The ERM Installer includes tools to help deal with these seemingly complex technologies.

Sometimes it can take a while to get access to valid certificates, which is why ERM Installer has tools to generate test certificates while waiting for the valid ones to arrive. To simulate a real environment, both a root CA issuer and an intermediate CA issuer is generated. Note that these should only be used in tests or proof of concept environments.

Certificate management tools

The certificate management tools are accessed by selecting Certificates which is located in the header navigation of the ERM Installer.

Use this tool to upload your certificate pairs and check certificate information. To help with demo-setups a self signed CA and certificate generation service is also included.

When first navigating to certificate management you get an overview which shows all of the available certificates. You can review information including the expiration date, upload date, and Issuer. You also have the choice to delete selected certificates.

Clicking on the title of a certificate from the overview brings you to the certificate details page for the specific certificate, where there are tools such as update certificate, create CSR request or export private key. For more information, see Certificate details below.

Usage guidelines

Certificates files should use Base 64-encoded PEM format, and the public certificate should always include the full certificate chain for better compatibility with different services, video conferencing systems and web browsers i.e. the public certificate file should include the certificate for the service followed by intermediate certificate(s) and the root CA. If the file contains only one certificate some devices or services may not work correctly even if everything looks ok in the administrator's web browser.

Use external tools, e.g. https://www.ssllabs.com/ssltest/ or openssl from the command line openssl s_client -connect pexip-erm.example.org:443 to validate your installation.

Example of a public key for pexip-erm.example.org opened in a text editor:

—–BEGIN CERTIFICATE—–
(pexip-erm.example.org content)
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
(Intermediate CA content)
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
(Root CA content)
—–END CERTIFICATE—–

Upload or generate certificates

Further down the certificate overview page are some tools for uploading new certificates, and to get the ERM Installer to generate temporary self-signed certificates for all products without assigned certificates. Lastly, there is an option to generate new certificates.

Certificate details

The certificate details page shows more information and tools for a specific certificate.

You reach this view by going to Certificates located in the header navigation of the ERM Installer, then clicking on the title of your desired certificate from the certificates overview.

General information

This shows a table with general information about the specific certificate. Scrolling down shows tools and actions for the certificate.

Update certificate

Use the form to update the certificate, choose a name and select your private key and public certificate and click Update. You also have the choice to delete the certificate.

Public certificate

You see the public certificate in the text field and also have the option to download the public certificate by clicking on Download.

Generate CSR

Create a CSR request, fill in the form and click Generate CSR request.

Export private key

Lastly you have the option to export the certificate private key, by clicking Export.