Goverlan Reach Gateway and SSL/TLS certificates
The Goverlan Reach Gateway Service can be secured with an SSL \ TLS certificate for server verification when connecting to systems that are outside of your organizations. This security prevents MITM “Man in the middle attacks” that may occur during internet based sessions.
You may import your own certificates if you already have them.
If you have deployed any external agents they will need to be reinstalled manually after you enable TLS on the server.
Getting a new Certificate
You may purchase a new certificate from any certificate authority. Generally you will need to follow the same steps.
- Purchase the certificate.
- Generate a CSR and Private key from the server that is running the Reach Gateway Services.
- Downloading your certificate from your Certificate Authority
- Convert the key and certificate to PFX format. (Optional but recommended).
- Import the certificate to the Reach Server.
Purchasing a certificate
You may purchase the certificate from any major certificate authority. Please make sure that the certificate is issued to the DNS name you will be using for the gateway services. For example:
DNS name for Reach Gateway Service is REACH.CONTOSO.COM <- Your certificate must cover this domain. Wildcard certificates are supported (*.contoso.com)
Generating the CSR and Private Key from your server
We recommend using the openssl command to all the certificate work needed. You can download and install OpenSSL for Windows here.
Use the following command to generate your CSR and Private Key
"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" req -new -newkey rsa:2048 -nodes -keyout C:\private_key.key -out C:\CSR.csr -config "C:\Program Files\OpenSSL-Win64\bin\cnf\openssl.cnf"
This command will start prompting for information such as Company Name, State, etc…
You will have two files:
- C:\private_key.key – Keep this safe and do not give it to anyone.
- C:\CSR.csr – You will provide this when asked by your Certificate Authority
Downloading your certificate from your Certificate Authority
After uploading your CSR file to your Certificate Authority, you will be asked to choose the format for the certificate. Please select APACHE as the type.
You will receive two files from your provider:
- Your certificate file issued to your server name.
- The Certificate Authorities certificate chain file.
Copy those files to the Goverlan Reach Server.
Verifying Key / Certificate Key match:
Run the following commands to make sure that the key and the certificate match. If the MD5 sum is the same in both outputs then the you have a match.
"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" rsa -modulus -noout -in C:\private_key.key | "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" md5 "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" x509 -modulus -noout -in C:\ServerCert.crt | "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" md5
Convert the Key and Certificate to PFX format (Optional but recommended)
Goverlan Reach supports multiple certificate/key file combinations, however it is recommended that a PFX file is used as it contains the full chain of certificates required by the Reach Gateway and the private key in one encrypted file.
To convert the key file, certificate chain file and server certificate, use the following openssl command.
"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -export -out C:\ServerCert.pfx -nodes -inkey C:\private_key.key -in C:\ServerCert.crt -certfile C:\CA_Bundle.crt
You will be asked to create a password and confirm it. This password will be required when configuring the Reach Gateway Service.
Importing the Certificate to the Reach Gateway Service
Once the PFX file is generated or you have the crt / key file combination, you can click “Secure with Certificate” on the Goverlan Reach Gateway Service screen.
The gateway service will restart and begin requiring TLS for all connections.
If you have deployed any external agents they will need to be reinstalled manually.