Overview

For all communication that is taking place over the Web Port (default: 8443, see also UMS Communication Ports), a specific self-signed certificate chain comes with the UMS on installation. Nevertheless, you can use a certificate chain of your own. 

See also Web in the UMS Reference Manual.

This article describes how to deploy a certificate chain with a corporate CA certificate or a public certificate:

Deploying a Self-Signed Corporate Certificate Chain

Prerequisites

  • You have a self-signed root CA certificate that serves as a trusted “root” certificate company-wide.
  • Your self-signed root CA certificate has been applied to all relevant trust stores within your company.
  • You have an intermediate CA certificate that is signed by your root CA certificate and a corresponding private key.

Importing the Root Certificate

  1. In the UMS Console, go to UMS Administration > Global Configuration > Certificate Management > Web.
  2. Click  , select the root certificate file, and click Open.

    The root certificate is imported.

Importing the Intermediate Certificate

  1. Select the root certificate, open the context menu, and select Import signed certificate.
  2. Select the intermediate certificate file and click Open

    The intermediate certificate is imported.
  3. Select the intermediate certificate, open the context menu, and select Import decrypted private key.
  4. Select the private key file of the intermediate certificate and click Open.

    The private key of the intermediate certificate is imported.
  5. Continue with Creating the End Certificates.

Creating the End Certificates

Repeat the following steps for each server in your UMS environment:

  1. Select the intermediate certificate, open the context menu, and select Create signed certificate.
  2. In the Signed Certificate Helper, select Create end certificate for one server and select the server which is to be assigned to the certificate.
  3. In the dialog Create Signed Certificate, fill in the data as required.
  4. Click Manage hostnames.
  5. In the dialog Set Hostnames for Certificate, check if "localhost" and all IP addresses and FQDNs (Fully Qualified Domain Names) under which your server is reachable are displayed under Assigned hostnames. If not, add the missing IP addresses and FQDNs under Add hostname manually.

  6. Close the dialog Create Signed Certificate with Ok.

    The signed server certificate is created.
  7. Continue with Assigning the Certificate to All Servers.

Assigning All Servers to the Certificate

Repeat the following steps for each server in your UMS environment:

  1. Select the server certificate, open the context menu, and select Assign server.
  2. Assign the server to the certificate as appropriate.
  3.  If you are using the UMS Web App: To avoid warning messages from browsers, you must make the new certificates known to the browsers. For instructions, see UMS Web App: The Browser Displays a Security Warning (Certificate Error).

Deploying a Certificate Chain with a Public Root CA

Prerequisites

  • You have a public certificate that is able to serve as a CA.
  • All UMS Servers follow the same naming scheme, e.g. “something.ums.mycompany.de” if the company name is "mycompany.de".

Importing the Root Certificate

  1. In the UMS Console, go to UMS Administration > Global Configuration > Certificate Management > Web.
  2. Click  , select the root certificate file, and click Open.

    The root certificate is imported.

Importing the Intermediate Certificate

  1. Select the root certificate, open the context menu, and select Import signed certificate.
  2. Select the intermediate certificate file and click Open

    The intermediate certificate is imported.
  3. Select the intermediate certificate, open the context menu, and select Import decrypted private key.
  4. Select the private key file of the intermediate certificate and click Open.

    The private key of the intermediate certificate is imported.

Creating End Certificates

Repeat the following steps for each server in your UMS environment:

  1. Select the intermediate certificate, open the context menu, and select Create signed certificate.
  2. In the Signed Certificate Helper, select Create one end certificate for all (known) servers.
  3. In the dialog Create Signed Certificate, fill in the data as required.
  4. Click Manage hostnames.
  5. In the dialog Set Hostnames for Certificate, adjust the settings as follows:

    • Check if "localhost" and all IP addresses and FQDNs (Fully Qualified Domain Names) under which your server is reachable are displayed under Assigned hostnames. If not, add the missing IP addresses and FQDNs under Add hostname manually.

    • Remove all IP addresses and FQDNs you do not want to be part of the certificate.

  6. Close the dialog Create Signed Certificate with Ok.

    The signed server certificate is created.
  7. Continue with Assigning all Servers to the Certificate.

Assigning all Servers to the Certificate

  1. Select the server certificate, open the context menu, and select Assign server.
  2. Assign all servers to the certificate.