You can upload custom SSL certificates on the Certificates tab.

The platform allows you to upload custom SSL certificates for each tenant.

  • If the tenant does not already have a certificate, you can generate it following the instructions under Generate Tenant Certificates below.

  • If it already has a certificate, proceed directly to Apply Tenant Certificates below.

Generate Tenant Certificates

You can generate the tenant's CSR file (certificate signing request) either on the Service Provider appliance or the tenant nodes.

  • If generating on the Service Provider appliance, please be sure to create in a tenant specific directory so files are not confused among tenants.

  • Always name the file using the domain for which the cert is being generated.

To generate a tenant certificate:

  1. Collect the following information from the tenant:

    • Country Code

    • State and Locality

    • Full Legal Company Name

    • Organizational Unit

  2. At the command line run:

    openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

    where server is the domain you want to create a cert for, such as desktops.tenant.com.

    This will generate two files: the Private-Key file for the decryption of your SSL Certificate, and a certificate signing request (CSR) file (used to apply for your SSL Certificate) with apache openssl.

  3. When you are prompted for the Common Name (domain name), enter the fully qualified domain name for the site you are securing. If you are generating an Apache CSR for a Wildcard SSL Certificate your common name should start with an asterisk (such as *.example.com).

  4. When the .key and .csr files have been created, zip them up and send them to the customer so they can request a cert from a certificate authority.

Apply Tenant Certificates

To enable a custom certificate, you upload three certificate files in Apache format: SSL Certificate, SSL Key, and CA Certificate. The tenant might provide you with all three files. Or, to ensure the files are generated properly, you can generate the public and private keys yourself, forward these keys to the tenant, and then the tenant can request the signed certificate from the signing authority.

Note:

To upload the three certificate files, you navigate to the Certificates tab under tenants (this is a different Certificates tab than the one used for service providers).

To apply a tenant certificate:

  1. In the Service Center, select tenants ► browse tenants.

  2. On the Tenants screen, click Edit for the tenant.

  3. Click the Certificates tab.

  4. On the Certificates tab, browse for and select the follow three files:

    • CA Certificate - The public certificate from a certificate authority that was used to sign the tenant certificate. This file will have a .pem or .crt extension.

    • SSL Certificate - The tenant’s public certificate, which was signed by the CA. This file has a .crt extension, which indicates that it is a certificate file.

    • SSL Key - The private key used to decrypt the tenant’s SSL certificate. This is needed in order to be able to respond to certificate requests. This file has a .key file extension.

  5. Click Submit to upload the files.

You can upload the files before or after installing appliances:

  • Before - The certificate is automatically installed on all the tenant appliances when you click the Submit button.

  • After - Select the Click here link on the Certificates tab to install the certificate on the tenant appliances.

Note:

If the IP address or URL for the tenant's desktop portal does not resolve to the tenants CN in their certificate, the tenant administrator may wish to include in their certificate a Subject Alternative Name so that the desktop portal's URL accessed by web clients can be matched to the uploaded tenant certificate. For more details on how to add a Subject Alternative Name to the certificate, contact the certificate authority.