When you create a new Let’s Encrypt certificate using Parallels RAS, the following process is carried out:

1. Parallels RAS Primary Connection Broker that hosts the licensing role makes the initial request to the Let’s Encrypt server to create an account.

2. Account creation confirmation is received. Parallels RAS creates a CSR and sends it to the Let’s Encrypt server.

3. A list of challenges is received, and Connection Broker reads the HTTP token sent by the Let’s Encrypt server.

4. Secure Gateway or HALB retrieves the tokens from the Connection Broker.

5. Once ready, Connection Broker notifies the Let’s Encrypt Server.

6. Let’s Encrypt starts the verification process by going to the Secure Gateway or HALB and confirming the availability of the token.

7. Challenges are completed including confirmation that the Secure Gateways or HALB can reply to the domain mentioned.

8. Assuming that the challenge is completed successfully, Parallels RAS requests a certificate.

9. Valid certificate is downloaded from the Let’s Encrypt server to Connection Broker.

10. Connection Broker distributes the certificate to the Secure Gateways or HALB.

To import a certificate from a file, choose Add > Import certificate from the ellipsis menu and specify the following:

• Name: Type a name for the certificate.

• Description: An optional description.

• Usage: Specify whether the certificate will be used for RAS Secure Gateways or HALB, or both.

• Private key file: Specify a file containing the private key. Click Browse to browse for the file.

• Certificate file: When you specify a private key file (above) and have a matching certificate file, it will be inserted in this field automatically. Otherwise, specify a certificate file.

Click OK when done. The certificate will appear in the list with the Status column indicating Imported.

To generate a CSR:

1. Navigate to Infrastructure > Certificates.

2. Choose Add > Generate a certificate request from the ellipsis menu and specify the required information. The information is exactly the same as described in Generate a self-signed certificate.

3. After entering the information, click Generate. The certificate information view will open.

4. Click Certificate Request in the middle pane to view the request data. Copy and paste it into a text editor and save the file for your records. This view also also allows you to import a public key at this time. You can submit the request to a certificate authority now, obtain the public key, and import it without closing the view, or you can do it later.

To submit the request to a certificate authority and import a public key:

1. If the certificate request view is closed, open it (click the request in the main list and click Certificate Request).

2. Copy the request and paste it into the certificate authority web page (or email it, in which case you will need to come back to this view later).

3. Obtain the certificate file from the certificate authority.

4. Click the Import public key button and finalize the certificate registration by specifying the key file and the certificate file.

Let’s Encrypt is a global Certificate Authority (CA). This organization is a non-profit and does not charge fees for their certificates. Each certificate is valid for 90 days. RAS Console allows you to issue, automatically renew and revoke Let's Encrypt certificates.

Issuing a Let's Encrypt certificate

To issue a new Let’s Encrypt certificate:

1. Navigate to Infrastructure > Certificates.

2. Click the ellipsis menu ( the [...] icon) and choose Let's Encrypt Settings.

3. Select the I have read and accept Let's Encrypt EULA option.

4. In the Expiration emails field list specify the email addresses that will receive notifications from Let’s Encrypt.

5. Optionally, change the time when certificates are renewed automatically in the Automatically renew certificates before expiration field.

6. Navigate back to Infrastructure > Certificates.

7. Choose Add > Issue Let's Encrypt certificate from the [...] menu and specify the following options:

   • Name: Name of the certificate.

   • Description: Description of the certificate.

   • Usage: HALB and/or Secure Gateway.

   • Key size: Key size.

   • Country code: Code of your country.

   • Full state or province: Name of your state or province.

   • City: Your city.

   • Organization: Name of your organization.

   • Organization unit: Name of your organization unit.

   • E-mail: Email address of your organization.

   • Common name: Valid domain name of a HALB or Secure Gateway.

   • Alternative names: Valid domain names of HALBs or Secure Gateways.

8. Click Issue certificate.

Renewing a Let’s Encrypt certificate manually

To manually renew a Let’s Encrypt certificate:

1. Navigate to Infrastructure > Certificates.

2. Select the certificate that you want to renew.

3. Select Control > Renew from the [...] menu.

Revoking a Let’s Encrypt certificate

To revoke a Let’s Encrypt certificate:

1. Navigate to Infrastructure > Certificates.

2. Select the certificate that you want to renew.

3. Select Control > Revoke from the [...] menu.

The Parallels RAS Management Portal includes a certificate management interface that allows you to manage all of your SSL certificates in one place.

Certificates are managed on a Site level. Once a certificate is added to a Site, it can be used with any RAS Secure Gateway or HALB that also exist in this Site.

To manage certificates, navigate to Infrastructure > Certificates. The Certificates list displays existing certificates. When you install Parallels RAS, the <Default> self-signed certificate is created automatically, so you will see at least this certificate in the list. The default certificate is also automatically assigned to all new RAS Secure Gateways and HALB.

The subsequent sections describe certificate management tasks in detail and provide additional certificate information and instructions.

To export a certificate to a file, select it in the list and choose Export certificate from the ellipsis menu.

You can later import the certificate to a different Farm or Site by using Import certificate and specifying the certificate file in the Private key file field.

To generate a self-signed certificate, navigate to Infrastructure > Certificates. Choose Add > Generate self-signed certificate from the ellipsis menu and specify the following options:

• Name: Type a name for this certificate. This field is mandatory.

• Description: An optional description.

• Usage: Specify whether the certificate should be used for RAS Secure Gateways or HALB, or both. This selection is mandatory.

• Key size: The certificate key size, in bits. Here you can select from the predefine values. The default is 2048 bit, which is the minimum required length according to current industry standards.

• Expire in: The certificate expiration date.

• Country code: Select your country.

• Full state or province: Your state or province info.

• City: City name.

• Organization: The name of your organization.

• Organization unit: Organizational unit.

• E-mail: Your email address. This field is mandatory.

• Common name: The Common Name (CN), also known as the Fully Qualified Domain Name (FQDN). This field is mandatory.

• Subject Alternative Names: Add one or more subject alternative names (SANs). Note that because mobile Parallels Client don't support the Subject Alternative Name field, it is recommended to choose a common name that most mobile devices will be using.

Click Generate to generate the certificate. When done, the certificate will appear in the Certificates list with the Status column indicating Self-signed.

To view and modify certificate properties:

1. In the Infrastructure > Certificates view, click the certificate name.

2. In the right pane, review the certificate properties in the Information section.

3. In Actions section, you can enable or disable the certificate. You can also . If you wish to delete the certificate, click Delete.

4. To modify some of the certificate properties, click Properties in the middle pane.

5. Click Edit in the upper left-hand corner to modify the settings if needed. You can change the certificate name and description and you can also change whether the certificate should be used for Gateways, HALB, or both.

After you add a certificate, you can assign it to a RAS Secure Gateway, HALB, or both depending on the usage type that you specified when you created the certificate. More on the certificate Usage option below.

Certificate Usage

Certificate Usage is an option that specifies whether the certificate should be available for RAS Secure Gateways, HALB, or both. See Generate a self-signed certificate. When you configure SSL for a RAS Secure Gateway or HALB later, you need to specify an SSL certificate. When you select a certificate, the following options will be available depending on how the Usage option is configured for a particular certificate:

• <All matching usage>: This is the default option, which is always available. It means that any certificate on which the Usage selection matches the object type (Gateway or HALB) will be used. For example, if you are configuring a Gateway and have a certificate that has Usage set to "Gateway", it will be used. If a certificate has both, Gateway and HALB usage options selected, it can also be used with the given gateway. This works the same way for HALB when you configure the LB SSL Payload. Please note that if you select this option for a Gateway or HALB, but not a single matching certificate exists, you will see a warning and will have to create a certificate first.

• Other items in the Certificates drop-down list are individual certificates, which will or will not be present depending on the certificate's Usage settings. For example, if you configure LB SSL Payload for HALB and have a certificate with the Usage option set to "HALB", the certificate will appear in the drop-down list. On the other hand, certificates with Usage set to "Gateway" will not be listed.

As another example, if you need just one certificate, which you would like to use for all of your Gateways, you need to create a certificate and set the Usage option to "Gateways". You can then configure each Gateway to use this specific certificate or you can keep the default <All matching usage> selection, in which case the certificate will be picked up by a Gateway automatically. Same exact scenario also works for HALB.

Gateways

To assign a certificate to a RAS Secure Gateway:

1. Navigate to Infrastructure > Gateways.

2. Click a Gateway in the list.

3. Click Properties in the middle pane.

4. Select the SSL/TLS category.

5. In the Certificates drop-down list, select the certificate that you created.

Please note that you can also select the <All matching usage> option, which will use any certificate that has the usage set to Gateway or both Gateway and HALB.

HALB

At the time of this writing, HALB cannot be managed in the RAS Management Portal. Please use the desktop-based RAS Console.