Using a CA-Signed Certificate
If you do not sign the CCC SSL certificate using a trusted certificate authority (CA), the browser will warn the users that the connection is not trusted when they connect to the CCC server. To avoid this issue, you must have the certificate signed by a trusted CA. Alternatively, you can sign the certificate using a local CA, and import the local CA's certificate into the CCC server's keystore and into each user's browser. To use a CA-signed certificate:
-
Log in to the CCC server workstation as root.
-
Enter the following command to set the umask to 0022:
umask 0022
-
Go to the directory that contains the SSL certificates: cd /usr/safenet/ccc/cert
-
Create a copy of the certificate signing request (.csr) file with a file name that specifies the IP address or hostname that will be used to connect to the CCC server or server cluster.
cp server.csr ccc_hostname_or_IP.csr
-
Transfer the ccc_hostname_or_IP file to a Certificate Authority (CA) to sign it. You can transfer the file using scp, USB drive, email, etc.
-
Copy the signed certificate file to the /usr/safenet/ccc/cert directory.
-
Import the signed certificate to the trusted keystore.
cd /usr/safenet/ccc/cert export CERT_PATH=/usr/safenet/ccc/server/standalone/configuration export ALIAS=s1as
-
If you are using an untrusted local CA, import the CA certificate for the untrusted local CA to the CCC server. Otherwise, proceed to the next step: keytool -import -keystore $CERT_PATH/keystore.jks -alias CA_alias -file filename
The CA_alias string is an arbitrary string of your choosing. Do not use s1as from the preceding step as the CA_alias string.
-
Enter the keystore password when prompted.
-
Import the new signed certificate to the keystore: keytool -importcert-keystore $CERT_PATH/keystore.jks-alias $ALIAS -file cert_filename
-
Enter the keystore password when prompted.
-
Restart the CCC service:
systemctl restart ccc
-
If you are using an untrusted local CA, import the CA certificate for the untrusted local CA for each browser that will be used to access the CCC server. Otherwise, proceed to the next step.
-
Log in to the CCC server. You should be able to log in without the browser warning that the connection is not trusted.