You are here: Command-Line Procedures > Creating a Self Signed TLS Certificate

Creating a Self Signed TLS Certificate

The procedure below helps you to create a self signed TLS certificate for your ZixGateway.

1. Log in to your ZixGateway appliance as zixadmin.
2. Use sudo to become the root user:

sudo -i

3. Enter the following change directory command:

cd /tmp

4. 3. Run these two command to generate your certificates and create two PEM files privKey.pem and cacert.pem. These certificates have a five year expiration.

/usr/bin/openssl genrsa -out privKey.pem 2048

/usr/bin/openssl req -new -x509 -key privKey.pem -out cacert.pem -config /etc/pki/tls/openssl.cnf -days 1825 -sha256

5. The second command will generate a series of questions. Follow the instructions generated by the command. Ensure that the Common Name (CN) that you specify is the Fully Qualified Domain Name (FQDN) of your ZixGateway appliance as seen from the internet.
6. Change the permissions on the PEM files with the following command.

chmod 777 *.pem

7. Use WinSCP to download the two PEM files which were just created. Store them in a location where ZixGateway Manager can access them, such as your desktop. On the ZixGateway, they will be located in the same directory the commands were run in (/tmp).

Installing the certificates into ZixGateway Manager

1. Access the ZixGateway Manager and select Configure Server > TLS.
2. Your private key (privKey.pem) is entered into the Private Key field of the TLS section.
3. Your certificate (cacert.pem) is entered into both the Server Certificate field and the Server Certificate Signing CA field of the TLS section.
4. Deploy and Cycle the cluster from the Manage Cluster tab.

All keys and certificates should be kept in a secure location where they can be backed up. If you need additional assistance, contact ZixCorp Customer Support at support@zixcorp.com.

Closed6.3.1

The create_selfsigned_test_cert.sh script is used to generate your private key and certificate for this server has several options. The script is contained in the createSelfSigned.tar file.

For usage information only, type "help" after the command. This will not create a certificate request.

sudo ./create_selfsigned_test_cert.sh help

There is also a recommended option to create a unique name for this server certificate. After the command, enter a short identifier.

sudo ./create_selfsigned_test_cert.sh vpm01

Two files are created in the /tmp directory: ./privKeyvpm01.pem and ./certreqvpm01.pem.

If you choose to not use an identifier,

sudo ./create_selfsigned_test_cert.sh

Two files are created in the /tmp directory: privKey.pem and certreq.pem.

Note: The certificates have a one-year expiration.

To upload the self-signed certificate:

1. Upload the createSelfSigned.tar file to the /tmp directory on the ZixGateway system

pscp createSelfSigned.tar <putty session name>:/tmp (using PuTTY)

2. Log in to your ZixGateway system as zixadmin using the serial, the console (KVM) or an SSH connection.
3. On your ZixGateway system, change to the /tmp directory:

cd /tmp

4. Extract the file uploaded in step 1:

$ sudo tar xfpP createSelfSigned.tar

5. Run the create script, sudo ./create_selfsigned_test_cert.sh, as described above.

Follow the instructions displayed to provide the information prompted for the certificate. Ensure that the Common Name (CN) that you specify in the certificate is the Fully Qualified Domain Name (FQDN) of your ZixGateway appliance as seen from the internet.

6. Use WinSCP to download the 2 pem files which were just created.

pscp zixvpm01:/tmp/privKey.pem c:\
pscp zixvpm01:/tmp/cacert.pem c:\

Store the files in a location where the ZixGateway Manager can browse to them.