MiCollab in LAN Mode with MBGs in DMZ

This topic describes the installation of the SSL web server certificate on a MiCollab server clustered with MiVoice Border Gateways in the DMZ.

Certificate Installation Overview

  1. Generate the certificate signing request (CSR) on an MBG node in the DMZ.  Ensure that you include “Subject Alternate Names” for each additional server (MiCollab and MBGs) in the DMZ that will use the certificate.

  2. Submit the CSR to the Certificate Authority, complete the online registration forms and purchase your web server certificate and intermediate certificates.

  3. Install the SSL web server certificate and intermediate certificates on the MBG server from which you generated the CSR.

  4. Download the certificates and private key from the MBG server.

  5. Upload the certificates and private key onto the MiCollab server and the other MBG servers in the DMZ.

  6. Restart the MiCollab and MBG servers.



Generate a Certificate Signing Request (CSR) on MBG Cluster Manager Server

You need a certificate signing request (CSR) in order to purchase an SSL certificate from a third-party Certificate Authority (CA).  To generate a CSR:

  1. Log into an MBG server in the DMZ.

  2. Under Security, click Web Server.

  3. Click the Web Server Certificate tab.

  4. Select Generate a new Certificate Signing Request (CSR), and then click Perform.

  5. Enter the information required to generate a certificate signing request (CSR). If you have previously generated a CSR, the previously entered values are displayed.
    Note:

    When completing the fields, use first capital letters only (for example Ontario, not ONTARIO).

    Field Name Description

    Country Name (two letter code)

    Enter the two-letter International Organization for Standardization- (ISO-) format country code for the country in which your organization is legally registered. Examples are, CA for Canada and US for United States.

    State or Province Name

    Enter the full name of state or province where your organization is located. Do not abbreviate. The first letter of the name entered must be a capital with remaining letters lower case. For example, you would enter "Ontario" for Mitel Corporation.

    Locality Name

    The Locality Name is the city, town, route used in the mail address of the organization that is submitting the CSR. Enter the full name of the city in which your organization is located. Do not abbreviate.

    Organization Name

    The Organization Name is the name used in the mail address of the organization / business submitting the CSR. Enter the name under which your organization / business is legally registered. The listed organization must be the legal registrant of the domain name in the trusted certificate request. If you are enrolling as an individual, please enter the certificate requestor's name in the Organization field, and the DBA (doing business as) name in the Organizational Unit field.

    Organizational Unit Name

    Enter the organization unit or department name. Use this field to differentiate between divisions within an organization. For example, "Engineering" or "Human Resources." If applicable, you may enter the DBA (doing business as) name in this field.

    Common Name

    The default value presented in this field is the FQDN of the server including the domain name (for example, mbg.example.com).

    The common name is the fully-qualified domain name (FQDN) to which you plan to apply your certificate. A web browser checks this field. It is required.

    In addition to entering a FQDN, you can also enter a domain name with a wild card character (e.g. *.example.com) in order to generate a wild card certificate request.

  6. Check to ensure that you have entered all the required information correctly before you generate the CSR. If you need to make changes, regenerate the file. Do NOT modify the text of the generated file in a text editor such as Notepad.

  7. Click Generate Certificate Signing Request. The system generates a CSR file.

  8. Copy the text of the CSR file.

Submit the CSR to the Certificate Authority and Purchase the SSL Certificate

  1. Access the web site of a Certificate Authority and purchase a certificate for multiple domains or a wildcard domain. You will be prompted to do the following:

    Note:

    Each Certificate Authority has unique requirements. Accordingly, you may not be prompted for all of the steps listed below, and some of the field names may vary. 

    1. Select the number of domains you wish to protect:

      1. Single domain: Select this option if your implementation has one MSL server on a single domain (for example, www.domain.com and domain.com).

      2. Multi-domain: Select this option if your implementation has multiple MSL servers on a specific number of domains (for example, www.domain.com and domain.com, plus three sub-domains).

      3. Multi-domain and wildcard: Select this option if your implementation has multiple MSL servers with a large number of sub-domains (for example, www.domain.com and domain.com, plus an unlimited number of sub-domains).

    2. Enter your account and contact details in the CA web form:

      • Login Name and Password.

      • NameEmail Address, and Telephone Number.

      • Organization Name and Address.

      • Domain Name.
        Note: Some CAs may prompt you to enter the Subject Alternate Names (SANs) or wildcard domain in this step. For more information on these entries, see below.
      • Web Server Software.
        Note: Select Apache. Other options are not supported on the MSL platform.

      • Hashing Algorithm.

    3. Paste the text of the CSR file into the CA web form.

    4. If you have purchased a certificate for multiple domains or a wildcard domain, enter the following in the CA web form:

      • Subject Alternate Name (SAN): Enter the domain name for each service (or "virtual host") in the LAN that you want to include in this certificate. For example, if your deployment includes a number of MSL application servers on the LAN, you would enter the FQDN of each server such as micollab.mitel.com, mivb.mitel.com, and micollabclient.mitel.com. If these addresses are not configured correctly, remote client access to the LAN-based services will be denied.Note: You can also enter an IP address as a SAN if your users are accessing an MSL application server from the internal network rather than through the MBG / Web Proxy. Typically, you would do this for testing purposes or to enable direct access from the LAN.  

      • Wildcard: To consolidate your domain and unlimited sub-domains into a single SSL certificate, enter a wildcard domain name. For example, if your deployment includes numerous MSL application servers on the LAN (eg. MiCollab, MiVoice Business, MiCollab Client, MiCollab Unified Messaging, generic MSL, and Oria), you can include them all by entering an FQDN such as *.mitel.com.  

  2. Complete the purchase transaction. The Certificate Authority will do the following:

    • Send you the certificate files. These include your SSL server certificate and, if required, intermediate certificates. An intermediate certificate is a subordinate certificate issued to establish a certificate chain that begins at the CA's trusted root certificate, carries through the intermediate and ends with your own SSL server certificate. Some CAs provide a single intermediate certificate while others provide multiple intermediate certificates. There should be no need to open and inspect the files, provided that they are in the correct format and that the intermediate certificates have been bundled into a single file by the CA. Consult the documentation provided by your Certificate Authority for instructions to obtain, unzip and identify exactly which files you need to use.

      Note:

      • If your CA requires you to open a number of intermediate certificates and assemble them into a single bundled file, perform this task with a text editor that employs Unix line formatting. Do not use an editor that employs Windows line formatting such as Notepad.

      • The intermediate certificate is required for MiCollab Mobile Client deployments; without it, client connections will fail and users will be unable to download their deployment configurations.  

    • Contact the administrator for the domain used in a CSR. The administrator is identified using information supplied when your organization originally registered its internet FQDN.

  3. Upload the certificate files to a location that is accessible to the MSL server.

Install the SSL Certificate Files on the MBG Server

Use the following procedure to install the certificate files that you received from the Certificate Authority onto the MSL server that generated the CSR.

To install the SSL certificate files on the MSL server:

  1. Log into the server manager of the system that was used to generate the CSR.

  2. Under Security, click Web Server.

  3. Click the Web Server Certificate tab.

  4. Select Upload and install a web server certificate, and then click Perform.

  5. Select the SSL certificate:

    • Beside the SSL Certificate field, click Browse.

    • Navigate to the SSL certificate, select it and click Open.

  6. If you also received an Intermediate SSL certificate, select it as well:

    • Beside the Intermediate SSL Certificate field, click Browse.

    • Navigate to the Intermediate SSL certificate, select it and click Open.  

    Note:

    • In some cases, the CA will provide multiple intermediate certificates. Consult the CA's documentation to determine which of these certificates you should use and, if necessary, how to assemble them into a single bundled file.

    • The intermediate certificate is required for MiCollab Mobile Client deployments; without it, client connections will fail and users will be unable to download their deployment configurations.  

  7. Click Install WebServer Certificate.

  8. Restart the server to ensure all components and services that require the certificate are informed of the certificate's presence.

Download the Certificate and Private Key from the MBG Server

  1. Log into the MBG server

  2. Under Security, click Web Server.

  3. Click the Web Server Certificate tab.

  4. Select Download the current web server certificate, and then click Perform.

  5. Click Save, navigate to the location you wish to store the file, and then click Save. The downloaded file is in ZIP format. It includes the web server certificate, intermediate certificates (if installed), and private key file.

  6. Unzip the files and upload them to a location that is accessible to the other MSL servers in your network.

    Note:

    Exercise caution when transferring your certificate files and private key to the other system. If your private key is stolen, it can be used to establish fraudulent connections to your applications. For optimum security, delete the files from any media they are stored on as soon as you have completed the upload process.

Upload the certificates and private key onto the MiCollab and other MBG servers in the DMZ

  1. Log into each of the server managers.

  2. Under Security, click Web Server.

  3. Click the Web Server Certificate tab.

  4. Select Upload and install a web server certificate, and then click Perform.

  5. Select the SSL certificate:

    • Beside the SSL Certificate field, click Browse.

    • Navigate to the SSL certificate, select it and click Open.

  6. If you also received an Intermediate SSL certificate, select it as well:

    • Beside the Intermediate SSL Certificate field, click Browse.

    • Navigate to the Intermediate SSL certificate, select it and click Open.

  7. Import the private key pair created on the other MSL server:

    • Beside the SSL Private Key field, click Browse.

    • Navigate to the SSL Private Key file, select it and click Open.

  8. Click Install WebServer Certificate.

  9. Restart the server to ensure all components and services that require the certificate are informed of the certificate's presence.

  10. To prevent fraudulent use of your certificates, delete the certificate and private key files from any media they are stored on.

Parent topic: Certificate Installation