Skip to main content
Skip table of contents

How to Manage ICG Certificates with UMS

The IGEL Universal Management Suite (UMS) has a built-in TLS/SSL certificate manager to be used with the IGEL Cloud Gateway (ICG). It produces keystore files suited to the ICG installer.

ICG Certificate Signing Options

UMS supports three options for ICG certificate signing:

  • Use the UMS to create a CA and sign ICG certificates. For instructions, see Creating a Certificate for the ICG Using the IGEL UMS.

    • Advantages: Free of charge, independent

    • Disadvantages: Client users have to check the CA certificate fingerprint when first connecting to ICG, no advanced PKI management features

  • Import the root certificate and private key of your existing private CA into UMS, and use the certificate to sign a certificate for ICG. For instructions, see Creating Certificates from an Existing Root Certificate.

    • Advantages: Free of charge

    • Disadvantages: Client users have to check the CA certificate fingerprint when first connecting to ICG. You may not want to save your CA private key in a networked application such as UMS, and it may be difficult to synchronize it with your main private CA.

  • Import the root certificate of a publicly known CA into UMS, and an ICG certificate signed by it. See the instructions below.

    • Advantages: If the CA is one of the approximately 170 that are supported by IGEL OS, users will not need to check the certificate fingerprint at all.

    • Disadvantages: Cost. You will not be able to sign certificates yourself.

Using a Publicly Known CA in UMS

The following files are needed:

  • CA root certificate

  • ICG Server certificate signed by the CA

  • ICG server private key

To use a publicly known CA in the UMS:

  1. In UMS Console, go to UMS Administration > Global Configuration > Certificate Management > Cloud Gateway.

  2. In the Certificates section, click image-20240610-140257.png to import the root certificate.

  3. Choose the CA's root certificate file (in PEM format).
    The CA's root certificate appears in the list.

  4. Right-click the CA's root certificate and select Import signed certificate.

  5. Click OK.
    The signed certificate appears in the list.

  6. Right-click the signed certificate and select Import decrypted private key.

    If the private key is protected with a passphrase you need to decrypt it using the OpenSSL commandline tool: openssl rsa -in encrypted.key -out decrypted.key

  7. Choose the decrypted private key file.
    The data can now be used to produce a keystore file for the ICG server.

  8. Right-click the signed certificate and select Export certificate chain in IGEL Cloud Gateway keystore format.
    The file keystore.icg is created. This file will be required for the gateway.

  9. Save the keystore.icg file.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close