14.1 Uploading the SSL Certificate

Advanced Authentication server uses the HTTPS protocol. You must create a certificate file that is in the .pem or .crt, or .pfx format. You must apply the existing SSL certificate on the server.

You can create a .pfx combined certificate with the following command:

openssl pkcs12 -export -out <certificate.pfx> -inkey <name_of_private_key_without_encryption_passphrase> -in <publicly trusted certificate.crt> -certfile <intermediate_chain_certificate> -name <any_alias_name>

Replace the <certificate.pfx>, <name_of_private_key_without_encryption_passphrase>, <publicly trusted certificate.crt>, <intermediate_chain_certificate>, and <any_alias_name> with the valid values.

IMPORTANT:The Smartphone and Voice Call authentication providers work only with a valid SSL certificate. Self-signed certificate does not work.

To upload an SSL certificate perform the following steps:

  1. Log in to the Advanced Authentication Administration portal directly and not through a load balancer or Access Manager.

  2. Click Server Options.

  3. Click Browse in Web server SSL certificate for HTTPS and select a new SSL certificate. The file must contain both the certificate and the private key.

    NOTE:The certificate must not contain any of the encrypted private keys.

    Intermediate certificates must also be placed in the certificate file in the .pem or .crt or .pfx format if they are present.

    IMPORTANT:The certificate file must be in the following order:

    -----BEGIN PRIVATE KEY----- 
    (Your Private Key: your_domain_name.key) 
    -----END PRIVATE KEY----- 
    -----BEGIN CERTIFICATE----- 
    (Your Primary SSL certificate: your_domain_name.crt) 
    -----END CERTIFICATE----- 
    -----BEGIN CERTIFICATE----- 
    (Your Intermediate certificate: intermediate.crt) 
    -----END CERTIFICATE----- 
    -----BEGIN CERTIFICATE----- 
    (Your Root certificate: TrustedRoot.crt) 
    -----END CERTIFICATE-----
  4. Click Upload.

IMPORTANT:The certificate is not replicated among the Advanced Authentication servers. Therefore, it is recommended to upload the certificate to each Advanced Authentication server or add it on a load balancer.