To install the IGEL Cloud Gateway (ICG), you must provide a signed certificate. In order to generate a signed certificate, a root certificate must be generated first.

  1. In the UMS Console, go to UMS Administration > Global Configuration > Cloud Gateway Options.
  2. In the Certificates section, click cert-icon_0_1 to generate a root certificate.
  3. Fill in the certificate fields:
    • Displayname: Name for the certificate; free text entry
    • Your organization: Organization or company name
    • Your city or locality: Location
    • Your two-letter country code: ISO 3166 country code, e.g. US, UK or ES

    • Valid until: Local date on which the certificate expires. (Default: 10 years from now)

      Make sure to define a long duration for the root certificate; 10 years or more are highly recommended. When the root certificate expires, all devices connected to the ICG must be registered again.

  4. Click OK.

    A key pair and a certificate are generated.

    Generating keys may take substantial time on virtual machines (VMs), as these do not have a powerful (pseudo) random number source. On Linux VMs, this can be improved by installing the haveged package.


    The CA's root certificate appears in the list.

    The CA is now ready to use.
  5. Right-click the CA's root certificate and select Create signed certificate.

  6. Fill in the certificate fields:
    • Displayname: Name of the certificate
    The display name in the server certificate must not be the same as in the root certificate.
    • Your first and last name: Name of the certificate holder
    • Your organization: Organization or company name
    • Your city or locality: Location
    • Your two-letter country code: ISO 3166 country code, e.g. US, UK or ES
    • Hostname and/or IP address of certificate target server: Host name(s) or IP address(es) for which the certificate is valid. Multiple entries are allowed, separated by semicolons.
    All IP addresses and host names by which the ICG will be reachable from within the company network or from outside must be provided here. If the ICG is to be placed in a DMZ, for instance, the host will have 2 addresses, both of which must be provided here.
    • Valid until: Local date on which the certificate expires. (Default: one year from now)
    • Certificate Type: Select "End Entity".

  7. Click OK.

    A key pair and a certificate are generated.
    The signed certificate appears on the list.

    Generating keys may take substantial time on virtual machines (VMs), as these do not have a powerful (pseudo) random number source. On Linux VMs, this can be improved by installing the haveged package.

Exporting the Certificate Chain (Only Needed for Manual ICG Installation)

If you want to install the IGEL Cloud Gateway manually, you must export the certificate chain in IGEL Cloud Gateway keystore format.

  1. Right-click the signed certificate and select Export certificate chain in IGEL Cloud Gateway keystore format.

    The file keystore.icg is created. This file will be required for the gateway.
  2. Save the keystore.icg file.