This section explains how to use SSL certificates in Parallels Application Server deployments. You should read this section if you are setting up a RAS environment to test one or more of the deployment scenarios described earlier in this guide.
Note: For complete information, please also read the SSL Certificate Management chapter in the Parallels RAS Administrator's Guide.
By default, a self-signed certificate is installed on a RAS Secure Gateway. Each RAS Secure Gateway has its own certificate, which should be added to Trusted Root Authorities on the client side to avoid security warnings.
To simplify the Parallels Client configuration, using a certificate issued either by a third-party Trusted Certificate Authority or Enterprise Certificate Authority (CA) is recommended.
If an Enterprise CA certificate is used, Windows clients receive a Root or Intermediate Enterprise CA certificate from Active Directory. Client devices on other platforms require manual configuration.
If a third-party certificate issued by a well-known Trusted Certificate Authority (e.g. Verisign) is used, the client device trusts using Trusted Certificate Authority updates for the platform.
Use IIS to receive a certificate from the Enterprise CA and export the certificate in the PFX format. To install the PFX certificate in Parallels RAS, import it as described in the Import the certificate subsection above.
Note: The trusted.pem file on the Parallels Client side must include the intermediate certificate to be able to verify the cert from the third-party vendor. If the intermediate certificate for the vendor is not in the trusted.pem file, you will have to paste it in manually or create a trusted.pem template file with the proper Intermediate Certificates and then replace the old trusted.pem file with the newly updated one. This file resides in the Program Files\Parallels or Program Files(x86)\ Parallels on the client side.
To obtain a certificate from a third-party CA, you need to generate a certificate signing request (CSR) as described below.
In the RAS Console, navigate to Farm / Site / Certificates. Click Tasks > Generate a certificate request. In the dialog that opens, specify the following options:
Name: Type a name for this certificate. This field is mandatory.
Description: An optional description.
Usage: Specify whether the certificate should be used for RAS Secure Gateways or HALB, or both. This selection is mandatory.
Key size: The certificate key size, in bits. Here you can select from the predefine values. The default is 2048 bit, which is the minimum required length according to current industry standards.
Country code: Select your country.
Expire in: The certificate expiration date.
Full state or province: Your state or province info.
City: City name.
Organization: The name of your organization.
Organization unit: Organizational unit.
E-mail: Your email address. This field is mandatory.
Common name: The Common Name (CN), also known as the Fully Qualified Domain Name (FQDN). This field is mandatory.
After entering the information, click Generate. Another dialog will open displaying the request. Copy and paste the request into a text editor and save the file for your records. The dialog also allows you to import a public key at this time. You can submit the request to a certificate authority now, obtain the public key, and import it without closing the dialog, or you can do it later. If you close the dialog, the certificate will appear in the RAS Console with the Status column indicating Requested.
To submit the request to a certificate authority and import a public key:
If the certificate request Properties dialog is closed, open it by right-clicking a certificate and choosing Properties. In the dialog, select the Request tab.
Copy the request and paste it into the certificate authority web page (or email it, in which case you will need to come back to this dialog later).
Obtain the certificate file from the certificate authority.
Click the Import public key button and finalize the certificate registration by specifying the key file and the certificate file.
You know need to import the certificate into Parallels RAS. To do so, on the Certificates tab, click Tasks > Import certificate. In the dialog that opens, specify the following:
Name: Type a name for the certificate.
Description: An optional description.
Private key file: Specify a file containing the private key. Click the [...] button to browse for the file.
Certificate file: When you specify a private key file (above) and have a matching certificate file, it will be inserted in this field automatically. Otherwise, specify a certificate file.
Usage: Specify whether the certificate will be used for RAS Secure Gateways or HALB, or both.
Click OK when done. The certificate will appear in the list in the RAS Console with the Status column indicating Imported.
To view the certificate info, right-click it and choose Properties. In the dialog that opens, examine the properties and then click the View certificate info button to view the certificate trust information, details, certification path and the certificate status. You can also view the certificate info by right-clicking it and choosing View certificate info.
For imported certificates, the Properties dialog has an additional tab Intermediate. If the original certificate included an intermediate certificate (in addition to the root certificate), it will be displayed here. You can paste a different intermediate certificate here if you wish.
After you add a certificate to a Site, you can assign it to a RAS Secure Gateway, HALB, or both depending on the usage type that you specified when you created the certificate (described in the beginning of this chapter). More on the certificate Usage option below.
Certificate Usage is an option that you specify when you create a certificate. It specifies whether the certificate should be available for RAS Secure Gateways, HALB, or both. When setting this option, you can choose from the following:
Gateway: If selected, makes the certificate available for RAS Secure Gateways.
HALB: If selected, makes the certificate available for HALB.
You can select one of the options above or both, in which case the certificate becomes available for both, Secure Gateways and HALB.
When you configure SSL for a RAS Secure Gateway or HALB later, you need to specify an SSL certificate. When you select a certificate, the following options will be available depending on how the Usage option is configured for a particular certificate:
<All matching usage>: This is the default option, which is always available. It means that any certificate on which the Usage selection matches the object type (Secure Gateway or HALB) will be used. For example, if you are configuring a Secure Gateway and have a certificate that has Usage set to "Gateway", it will be used. If a certificate has both, Gateway and HALB usage options selected, it can also be used with the given Secure Gateway. This works the same way for HALB when you configure the LB SSL Payload. Please note that if you select this option for a Secure Gateway or HALB, but not a single matching certificate exists, you will see a warning and will have to create a certificate first.
Other items in the Certificates drop-down list are individual certificates, which will or will not be present depending on the certificate's Usage settings. For example, if you configure LB SSL Payload for HALB and have a certificate with the Usage option set to "HALB", the certificate will appear in the drop-down list. On the other hand, certificates with Usage set to "Gateway" will not be listed.
As another example, if you need just one certificate, which you would like to use for all of your Secure Gateways, you need to create a certificate and set the Usage option to "Gateways". You can then configure each Secure Gateway to use this specific certificate or you can keep the default <All matching usage> selection, in which case the certificate will be picked up by a Secure Gateway automatically. Same exact scenario also works for HALB.
To assign a certificate to a RAS Secure Gateway:
Navigate to Farm > Site > Gateways.
Right-click a Secure Gateway and choose Properties.
Select the SSL/TLS tab.
In the Certificates drop-down list, select the certificate that you created.
Click OK.
Please note that you can also select the <All matching usage> option, which will use any certificate that either has the usage set to Secure Gateway or both Secure Gateway and HALB.
In case the certificate is self-signed, or the certificate is issued by an Enterprise CA, Parallels Clients should be configured as follows:
Export the certificate in Base-64 encoded X.509 (.CER) format.
Open the exported certificate with a text editor and copy the contents to the clipboard.
To add the certificate with the list of trusted authorities on the client side and enable Parallels Client to connect over SSL with a certificate issued from an organization’s Certificate Authority.
On the client side in the directory "C:\Program Files\Parallels\Remote Application Server Client\" there should be a file called trusted.pem. This file contains certificates of common trusted authorities.
Paste the content of the exported certificate (attached to the list of the other certificates).