SSL Certificates

When using SSL, a server certificate is required for secure communications. DME Supports two types of SSL security certificates: Self-Signed and Authority Generated (e.g. Verisign). Organizational security requirements determine which to use. Both are supported by the DME. Notice that the Currently Installed Certificates are displayed at the top of the form.

In the case of self-signed certificates, select the Generate and Install a Self-Signed CERT button and the certificate is simply generated and installed by the DME.

If an organization elects to use a certificate from an authority, a PEM formatted certificate from the authority is necessary. The process for getting the certificate is:

Field	Description
Country	Information only. Country of certificate holder.
State (Province)	Information only. State of certificate holder.
City	Information only. City of certificate holder.
Company or Organization	Information only. Company of certificate holder.
Department	Information only. Department of certificate holder.
Full Domain Name	The complete name of the domain, also referred to as a FQDN (fully qualified domain name) as registered on any Internet DNS. This name must be unique within the domain, and possibly accessible by the CA for verification. All lowercase letters must be used.
Contact email address	Information only. Email address of certificate holder.

2. Then click the Generate Certificate Request to use with CA button. The Server Certificate Request field will display an encoded CSR such as seen in the image below. During this process VBrick stores a private key on the DME that will be used later.

3. With the encoded CSR, engage a Certificate Authority (that is trusted by all browsers within your organization – it is recommended that you use a well known CA).

4. Purchase the certificate specifically for the correct domain name for the DME (make sure the DME has that name, and organization DNS entries). Wildcard or star Certificates are also common – those certificates can be use on multiple servers in your organization. There are special naming conventions, please see the requirements of your CA.

6. If the CSR was generated on this DME, then the private key is on this machine as well and you can continue to step 7. However, if this is a Certificate whose CSR was generated on another machine, you will need to procure a private key. This approach is common when dealing with wildcard/star certificates. In order for the DME to correctly apply the Certificate, please make sure that the private key is also in the PEM. Select the PEM Includes Key checkbox if applicable. When selected, you will also need to complete an additional FQDN field to name your DME.

7. Install the certificate by pasting the PEM and all contents in the Install New Certificate field (at the bottom of the page) and then clicking the Verify and Install New Certificate button.

8. Finally, verify that your certificate was installed in the Currently Installed Certificates window (at the top of the page). An invalid certificate will not be installed. Also, the DME will reboot itself when the certificate is installed correctly.

Certificates provided by a certificate authority (CA) may include multiple components: a private certificate, one or more intermediate certificates, a root certificate, and a private key. The order of these items (for processing by the DME) must be:

Note[1]: Be aware that if the Host Name field of the DME is changed (System Configuration > Network > Host Name), the SSL certificate will revert back to a self-signed certificate. If the certificate is invalid and the DME interface is unable to be reached, the admin console may be used.

Note[2]: If you have installed your certificate and inadvertently overwrite it (through a factory reset, host name change, etc.), contact VBrick Support Services for assistance in getting your old certificate back.

Note[3]: Once you have finished working on installing a new CERT, please FTP into the DME and remove (delete or take offline) the folder containing your backup cert within the FTP log folder.