search
ProductsSupportPartnersDocumentation

Assigning a certificate

After you add a certificate to a Site, you can assign it to a RAS Secure Gateway, HALB, Connection Broker API server, Connection Broker API data encryption, or a combination, depending on the usage type that you specified when you created the certificate (described at the beginning of this section). More on the certificate Usage option below.

hashtag
Certificate usage

Certificate Usage is an option that you specify when you create a certificate. When setting this option, you can choose from the following:

  • Secure Gateway: If selected, makes the certificate available for RAS Secure Gateways.

  • HALB: If selected, makes the certificate available for HALB.

  • Connection Broker API server: If selected, makes the certificate available for Connection Broker API integration.

  • Connection Broker API data encryption: If selected, makes the certificate available for API data encryption.

You can select one of the options above or a number. For details on how to create a certificate and choose these options, please see Generating a self-signed certificate and Generating a certificate signing request (CSR).

When you configure SSL/TLS for a RAS Secure Gateway, HALB, or Third-Party API later, you need to specify a certificate. For the information on how to do this, please see SSL/TLS encryption and Configuring HALB in the RAS Console. When you select a certificate, the following options will be available depending on how the Usage option is configured for a particular certificate:

  • <All matching usage>: This is the default option, which is always available. It means that any certificate on which the Usage selection matches the object type will be used. For example, if you are configuring a Gateway and have a certificate that has Usage set to "Gateway", it will be used. If a certificate has both Gateway and HALB usage options selected, it can also be used with the given gateway. This works the same way for HALB when you configure the LB SSL Payload. Please note that if you select this option for a Gateway or HALB, but no single matching certificate exists, you will see a warning and will have to create a certificate first.

  • Other items in the Certificates drop-down list are individual certificates, which will or will not be present depending on the certificate's Usage settings. For example, if you configure LB SSL Payload for HALB and have a certificate with the Usage option set to "HALB", the certificate will appear in the drop-down list. On the other hand, certificates with Usage set to "Gateway" will not be listed.

As another example, if you need just one certificate, which you would like to use for all of your Gateways, you need to create a certificate and set the Usage option to "Gateways". You can then configure each Gateway to use this specific certificate, or you can keep the default <All matching usage> selection, in which case the certificate will be picked up by a Gateway automatically.

hashtag
Gateways

To assign a certificate to a RAS Secure Gateway:

  1. Navigate to Farm > Site > Secure Gateways.

  2. Right-click a gateway and choose Properties.

  3. Select the SSL/TLS tab.

  4. In the Certificates drop-down list, select the certificate that you created.

  5. Click OK.

circle-info

Note: You can also select the <All matching usage> option, which will use any certificate that either has the usage set to Gateway.

hashtag
HALB

To assign a certificate to a HALB, navigate to Farm > Site > HALB. Assuming that your HALB is enabled and configured, and the LB SSL Payload option is selected, follow the instructions below:

  1. Click Configure next to the LB SSL Payload option.

  2. A certificate must be used when the Mode option is set to SSL Offloading. Once again, assuming it is selected, continue to the next step.

  3. Click Configure.

  4. In the SSL dialog, select the certificate in the Certificates drop-down list.

As with gateways, you can also select the <All matching usage> option, which will use any certificate that has the usage set to HALB or both HALB and Gateway.

hashtag
Connection Broker API Server

This usage is only needed if access to Parallels RAS is needed via API to a Third-Party Connection Broker (more information herearrow-up-right). To assign this certificate type, navigate to Farm > Site > Connection Brokers and follow the instructions below:

  1. Choose Tasks > Site Defaults (or choose the properties of an individual Connection Broker to assign to a specific Connection Broker)

  2. Choose the API tab

  3. Choose Enable API

  4. Then select the certificate in the Certificates dropdown

circle-info

Note: Different Connection Brokers within the same site can have a different configuration or use a shared configuration at the site level (i.e., each Connection Broker can inherit the site's default).

hashtag
Connection Broker API data Encryption

This usage is only needed if access to Parallels RAS is needed via API to a Third-Party Connection Broker (more information herearrow-up-right), and a specific certificate is needed to encrypt traffic (if no certificate is selected for Third-Party Encryption, traffic will still be encrypted using the default site certificate). To assign this certificate type, navigate to Farm > Site > Connection Brokers and follow the instructions below:

  1. Choose the API tab (this tab is only visible if the Enable API option is chosen from the “Third-Party API step above -

  2. Then select the certificate in the Encryption Certificate dropdown

It is important that Connection Brokers on the same site are set to use the same Encryption certificate.

PreviousExporting a certificateNextAuditing certificates

Last updated