To import a certificate from a file, on the Certificates tab, click Tasks > Import certificate. In the dialog that opens, specify the following:

• Name: Type a name for the certificate.

• Description: An optional description.

• Private key file: Specify a file containing the private key. Click the [...] button to browse for the file.

• Certificate file: When you specify a private key file (above) and have a matching certificate file, it will be inserted in this field automatically. Otherwise, specify a certificate file.

• Usage: Specify whether the certificate will be used for RAS Secure Gateways or HALB, or both.

Click OK when done. The certificate will appear in the list in the RAS Console with the Status column indicating Imported.

To view the certificate info, right-click it and choose Properties. In the dialog that opens, examine the properties and then click the View certificate info button to view the certificate trust information, details, certification path and the certificate status. You can also view the certificate info by right-clicking it and choosing View certificate info.

For imported certificates, the Properties dialog has an additional tab Intermediate. If the original certificate included an intermediate certificate (in addition to the root certificate), it will be displayed here. You can paste a different intermediate certificate here if you wish.

The Parallels RAS Console includes a certificate management interface that allows you to manage all of your SSL certificates in one place.

Certificates are managed on a Site level. Once a certificate is added to a Site, it can be used with any RAS Secure Gateway or HALB that also exist in this Site.

To manage certificates, in the RAS Console, navigate to Farm > Site > Certificates. The Certificates tab in the right pane displays the existing certificates. When you install Parallels RAS, the <Default> self-signed certificate is created automatically, so you will see at least this certificate in the list. The default certificate is also automatically assigned to all new RAS Secure Gateways and HALB.

The subsequent sections describe certificate management tasks in detail and provide additional certificate information and instructions.

To generate a self-signed certificate, navigate to Farm > Site > Certificates. Click Tasks > Generate self-signed certificate. In the dialog that opens, specify the following options:

• Name: Type a name for this certificate. This field is mandatory.

• Description: An optional description.

• Usage: Specify whether the certificate should be used for RAS Secure Gateways or HALB, or both. This selection is mandatory.

• Key size: The certificate key size, in bits. Here you can select from the predefine values. The default is 2048 bit, which is the minimum required length according to current industry standards.

• Country code: Select your country.

• Expire in: The certificate expiration date.

• Full state or province: Your state or province info.

• City: City name.

• Organization: The name of your organization.

• Organization unit: Organizational unit.

• E-mail: Your email address. This field is mandatory.

• Common name: The Common Name (CN), also known as the Fully Qualified Domain Name (FQDN). This field is mandatory.

• Alternative names: Specify one or more subject alternative names (SANs). Click the [...] icon and then add one or mote DNS or IP addresses. Note that because Parallels Client for mobile devices doesn't support the SAN field, it's safest to set your common name to the name that most mobile devices will be using.

Click Save to generate the certificate. When done, the certificate will appear in the Certificates list in the RAS Console with the Status column indicating Self-signed.

To view the certificate info, right-click it and choose Properties. In the dialog that opens, examine the properties and then click the View certificate info button to view the certificate trust information, details, certification path and the certificate status. You can also view the certificate info by right-clicking it and choosing View certificate info.

Let’s Encrypt is a global Certificate Authority (CA). This organization is a non-profit and does not charge fees for their certificates. Each certificate is valid for 90 days. RAS Console allows you to issue, automatically renew and revoke Let's Encrypt certificates.

Issuing a Let's Encrypt certificate

To issue a new Let’s Encrypt certificate:

1. In the RAS Console, navigate to Farm > Certificates.

2. Click the [+] button to the left of the Tasks drop-down menu and select Issue Let's Encrypt certificate.

3. Select the I have read and accept Let's Encrypt EULA option.

4. In the Expiration emails field list specify the email addresses that will receive notifications from Let’s Encrypt.

5. Optionally, change the time when certificates are renewed automatically in the Automatically renew certificates before expiration field.

6. Click OK.

7. In the Issue Let's Encrypt certificate dialog, specify the following:

   • Name: Name of the certificate.

   • Description: Description of the certificate.

   • Usage: HALB and/or Secure Gateway.

   • Key size: Key size.

   • Country code: Code of your country.

   • Full state or province: Name of your state or province.

   • City: Your city.

   • Organization: Name of your organization.

   • Organization unit: Name of your organization unit.

   • E-mail: Email address of your organization.

   • Common name: Valid domain name of a publicly accessible HALB or Secure Gateway.

   • Alternative names: Valid domain names of a publicly accessible HALBs or Secure Gateways.

8. Click Save.

Renewing a Let’s Encrypt certificate manually

To manually renew a Let’s Encrypt certificate:

1. In the RAS Console, navigate to Farm > Certificates.

2. Right-click the Let’s Encrypt certificate that you want to renew.

3. In the context menu, select Control > Renew.

Revoking a Let’s Encrypt certificate

To revoke a Let’s Encrypt certificate:

1. In the RAS Console, navigate to Farm > Certificates.

2. Right-click the Let’s Encrypt certificate that you want to revoke.

3. In the context menu, select Control > Revoke.

4. In the Revoke Certificate dialog, select the reason why you want to revoke the certificate.

5. Click Revoke.

To generate a CSR, navigate to Farm > Site > Certificates. Click Tasks > Generate a certificate request. In the dialog that opens, specify the required information. The information is exactly the same as for the self-signed certificate described above. If you need an explanation, please refer to the list of options described in that section.

After entering the information, click Generate. Another dialog will open displaying the request. Copy and paste the request into a text editor and save the file for your records. The dialog also allows you to import a public key at this time. You can submit the request to a certificate authority now, obtain the public key, and import it without closing the dialog, or you can do it later. If you close the dialog, the certificate will appear in the RAS Console with the Status column indicating Requested.

To submit the request to a certificate authority and import a public key:

1. If the certificate request Properties dialog is closed, open it by right-clicking a certificate and choosing Properties. In the dialog, select the Request tab.

2. Copy the request and paste it into the certificate authority web page (or email it, in which case you will need to come back to this dialog later).

3. Obtain the certificate file from the certificate authority.

4. Click the Import public key button and finalize the certificate registration by specifying the key file and the certificate file.

When you create a new Let’s Encrypt certificate using Parallels RAS, the following process is carried out:

1. Parallels RAS Primary Connection Broker that hosts the licensing role makes the initial request to the Let’s Encrypt server to create an account.

2. Account creation confirmation is received. Parallels RAS creates a CSR and sends it to the Let’s Encrypt server.

3. A list of challenges is received, and Connection Broker reads the HTTP token sent by the Let’s Encrypt server.

4. Secure Gateway or HALB retrieves the tokens from the Connection Broker.

5. Once ready, Connection Broker notifies the Let’s Encrypt Server.

6. Let’s Encrypt starts the verification process by going to the Secure Gateway or HALB and confirming the availability of the token.

7. Challenges are completed including confirmation that the Secure Gateways or HALB can reply to the domain mentioned.

8. Assuming that the challenge is completed successfully, Parallels RAS requests a certificate.

9. Valid certificate is downloaded from the Let’s Encrypt server to Connection Broker.

10. Connection Broker distributes the certificate to the Secure Gateways or HALB.

To export a certificate to a file, on the Certificates tab, click Tasks > Export certificate, specify a filename and click Save. You can later import the certificate in a different Farm or Site by clicking Tasks > Import certificate and specifying the certificate file in the Private key file field.

All actions that you perform on certificates are audited and can be viewed later. Note that reverting certificate changes is not possible. If you need to revert to a previous state, you'll have to delete a certificate and create a new one.

To audit certificates:

1. In the RAS Console, navigate to Farm > Site > Certificates.

2. Click Tasks > Settings audit.

3. The dialog opens where you can view the history of certificate actions. Note that the Revert button is disabled. As noted at the beginning of this section, reverting a certificate action is not possible.

4. To view details for a particular audit entry, double-click it.

When you upgrade Parallels RAS from a version prior to RAS 17.1 to a RAS 17.1 (or newer), every certificate that is used by RAS Secure Gateways and HALB is enumerated and only unique certificates are added to the Certificates subcategory. Gateways and HALB are then linked 1-to-1 to the certificates they were using before the upgrade.

Other actions related to an upgrade include the following:

• The Inherit defaults option in gateways is turned off after the upgrade.

• If a gateway is disabled during an upgrade, the Connection Broker still has the information about the certificate that the gateway uses, so the gateway is configured properly when it comes back online.

• Site defaults settings are configured to use the default self-signed certificate.

• When a new gateway is added, it is configured to use the default self-signed certificate, provided the Site defaults are not changed afterwards.

Root and Power administrators always have rights to manage certificates. Custom administrators don't have them by default. To grant permissions to manage certificates to Power administrators, the Certificates global permission type is used.

If you are a Root or Power administrator, you can set certificate permissions as follows:

1. In the RAS Console, navigate to Administration > Accounts.

2. Select a Custom administrator account and click Tasks > Properties.

3. In the Account Properties dialog, click Change Permissions.

4. In the Account Permissions dialog, select a Site in the left pane and click Change permissions (or click the Edit link in the right pane).

5. In the left pane (Permission type), select Certificates.

6. In the right pane (Global permissions), select one or more permissions.

7. When done, close all dialogs.

A RAS administrator can also delegate his/her permissions to a custom administrator. To do so, navigate to Farm > Site > Certificates and click Tasks > Delegate permissions. In the dialog that opens, delegate permissions to a desired Custom administrator.

After you add a certificate to a Site, you can assign it to a RAS Secure Gateway, HALB, or both depending on the usage type that you specified when you created the certificate (described in the beginning of this chapter). More on the certificate Usage option below.

Certificate usage

Certificate Usage is an option that you specify when you create a certificate. It specifies whether the certificate should be available for RAS Secure Gateways, HALB, or both. When setting this option, you can choose from the following:

• Secure Gateway: If selected, makes the certificate available for RAS Secure Gateways.

• HALB: If selected, makes the certificate available for HALB.

You can select one of the options above or both, in which case the certificate becomes available for both, Gateways and HALB. For details on how to create a certificate and choose these options, please see Generating a self-signed certificate and Generating a certificate signing request (CSR).

When you configure SSL for a RAS Secure Gateway or HALB later, you need to specify an SSL certificate. For the information on how to do this, please see SSL/TLS encryption and Configuring HALB in the RAS Console. When you select a certificate, the following options will be available depending on how the Usage option is configured for a particular certificate:

• <All matching usage>: This is the default option, which is always available. It means that any certificate on which the Usage selection matches the object type (Gateway or HALB) will be used. For example, if you are configuring a Gateway and have a certificate that has Usage set to "Gateway", it will be used. If a certificate has both, Gateway and HALB usage options selected, it can also be used with the given gateway. This works the same way for HALB when you configure the LB SSL Payload. Please note that if you select this option for a Gateway or HALB, but not a single matching certificate exists, you will see a warning and will have to create a certificate first.

• Other items in the Certificates drop-down list are individual certificates, which will or will not be present depending on the certificate's Usage settings. For example, if you configure LB SSL Payload for HALB and have a certificate with the Usage option set to "HALB", the certificate will appear in the drop-down list. On the other hand, certificates with Usage set to "Gateway" will not be listed.

As another example, if you need just one certificate, which you would like to use for all of your Gateways, you need to create a certificate and set the Usage option to "Gateways". You can then configure each Gateway to use this specific certificate or you can keep the default <All matching usage> selection, in which case the certificate will be picked up by a Gateway automatically. Same exact scenario also works for HALB.

Gateways

To assign a certificate to a RAS Secure Gateway:

1. Navigate to Farm > Site > Secure Gateways.

2. Right-click a gateway and choose Properties.

3. Select the SSL/TLS tab.

4. In the Certificates drop-down list, select the certificate that you created.

5. Click OK.

Please note that you can also select the <All matching usage> option, which will use any certificate that either has the usage set to Gateway or both Gateway and HALB.

HALB

To assign a certificate to a HALB, navigate to Farm > Site > HALB. Assuming that your HALB is enabled and configured, and the LB SSL Payload option is selected, follow the instructions below:

1. Click Configure next to the LB SSL Payload option.

2. A certificate must be used when the Mode option is set to SSL Offloading. Once again, assuming it is selected, continue to the next step.

3. Click Configure.

4. In the SSL dialog, select the certificate in the Certificates drop-down list.

As with gateways, you can also select the <All matching usage> option, which will use any certificate that has the usage set to HALB or both HALB and Gateway.