Tools > Certificates

To reach this page, open the Tools menu, and click Certificates. Via this page, certificates can be managed on the Apresa. The certificates are used for authentication and setting up encrypted connections with other network entities.

This page shows a list of all the certificates managed via the web interface. It indicates for which certificates a private key is available and which certificates are trusted.

Select a certificate and click Edit to view or download it, and edit its name and whether it is trusted.

For a certificate to be used for setting up a secured connection in which the Apresa functions as the server the private key of the certificate is necessary. An example is the HTTPS protocol to secure the communication with the web interface.

If the Apresa functions as the client and wants to connect to another server via an encrypted connection, the other server will present its own certificate. If this certificate is not issued by a recognized certificate authority, the Apresa may reject the certificate and the connection will not be made. Certificates can be imported and set to trusted, so that the Apresa can recognize the certificate and complete the encrypted connection. An example where this may be necessary is if LDAP synchronization is done via the secured LDAPS protocol.

There are three ways of creating certificates in the Apresa:

•creating a new self signed certificate

•uploading an existing certificate

•creating a certificate signing request. Together with such a request, a private key is generated on the Apresa. This request can be downloaded and send to a certificate authority for creating a signed certificate. The resulting certificate can then be uploaded to the Apresa. With this method, the private key will not have to leave the Apresa server.

•using Let's Encrypt

Let's Encrypt

Let's Encrypt is a service to acquire a free certificate that will automatically be trusted by any reasonably modern browser. To obtain a Let's Encrypt certificate, it is required that Let's Encrypt can verify that you control the domain for which you are requesting the certificate. This means that the Apresa must be reachable via the Internet with this domain name.

Before a certificate can be requested, it is required that an account is created at Let's Encrypt and that their subscriber agreement is accepted. The E-mail address provided here will be used by Let's Encrypt to notify you when a certificate is about to expire.

Get certificate:

Use this option to obtain a Let's Encrypt certificate after registering.

Name: The name by which the certificate is identified in the Apresa database. It has no meaning to the certificate itself.

Key type: Which type of keypair is generated for the certificate. Keypair generation based on the RSA algorithm is the default. On Debian 10 based systems keypairs based on elliptic curves can also be generated.

RSA bits: The length of the RSA key. The default length is 2048 and should be sufficient. The key length can be increased if desired, but this will require a higher computational cost.

Curve type: Which elliptic curve should be used to generate an elliptic curve keypair.

Domain names:

Here domain names can be added for which Let's Encrypt will try to issue a certificate. Let's Encrypt will check if you control all domain names provided here, so the Apresa must be reachable over the internet by all domain names provided here. It this is not the case the issuing of the certificate will fail. Note that neither wildcard certificates nor IP addresses are supported.

Update E-mail:

Use this option to update the E-mail address of the Let's Encrypt account.

Deactivate account:

This will deactivate the registered Let's Encrypt account. This means this account can no longer be used to request or revoke certificates. Note that is still possible to revoke certificates with their private key instead. Deactivating the account is not reversible. Once deactivated, a new account must be created.

Automatic renewal:

Certificates issued by Let's Encrypt are valid for 90 days, so must be renewed regularly. When automatic renewal is enabled, the Apresa will try to automatically renew certificates that will expire in 30 days. When certificates are renewed or fail to renew in this manner, an E-mail will be sent to the administrator E-mail address or addresses.

Alarms for expiring certificates

When a certificate expires, it will generally not be accepted anymore and must be replaced. Otherwise, possible service interruption can occur. Via these settings, alarms can be generated on the system information page for certificates that are expired are about to expire so that an appropriate action may be undertaken.

Generate alarms for certificates with private key: Enabling this setting will generate alarms for expiring certificates for which the private key is also available.

Generate alarms for certificates without private key: Enabling this setting will generate alarms for expiring certificates for which no private key is available.

Generate alarms when certificates expire in x days: This setting controls how long before a certificate expires an alarm is generated.