Skip to end of metadata
Go to start of metadata

Description

To communicate with devices, a certificate is required.  Recommendation is a root trusted SSL certificate is implemented.  If you are currently using a self-signed certificate, we suggest moving to a trusted root certificate; wildcard certificates are supported.

Since Filewave v12+, the Admin console indicates when a certificate is self-signed; Preferences > Mobile tab > HTTPS Certificate Management



SS-HTTPStab


iOS 10.3+ devices can be enrolled with a self-signed certificate.  Over the Air (OTA) though will experience warnings or errors; Self Signed Certificate Errors.

Information

Root trusted SSL certificates can be purchased from a Certificate Authority (CA).  Apple provide lists of trusted root certificates: https://support.apple.com/en-gb/HT204132

CA Vendors include:

  • GoDaddy
  • Digicert
  • GlobalSign / AlphaSSL
  • Trustwave
  • and many more...

As FileWave supports wildcard certificates, if you already have a wildcard certificate this could be uploaded without additional purchase.  Wildcard certificates are indicate by a * before the domain name. e.g..

  • Wildcard cert: *.initech.com
  • Dedicated cert: filewave.initech.com

Requirements

Obtaining an official 3rd party root trusted SSL certificate will be dependent upon the Server's current domain.  Only a domain that includes an official 'Top Level Domain' (TLD) may qualify for a root trusted SSL certificate and the root domain must be registered to purchase a certificate.  Where the Server uses an internal only domain, it is not possible to transition to an official certificate without first changing the domain where the Server belongs.  See migration below.  Example TLD:

  • .com
  • .org
  • .edu

In the context of a Website, the root domain refers to the highest level of hierarchy, e.g apple.com, microsoft.com, google.com

For example:

  • demo.filewave.ch is a Fully Qualified Domain Name (FQDN) of a server called 'demo' in the root domain 'filewave.ch', the TLD being 'ch'.
  • demo.filewave.local does not have a TLD and instead is using a private internal domain of '.local'.  Without a TLD they are known as a Partially Qualified Domain Name (PQDN)


Often the term FQDN is used as a way to indicate the idea of writing the Server name along with its connected domain.  Strictly speaking, with internal private only domains, this should be referred to as PQDN.  Not only does FileWave recommend using a FQDN, but regardless of using a FQDN or PQDN, always specify the Server name along with its connected domain name (rather than just host name) when setting any preferences, be that for Server, Clients, Boosters, etc.  We also discourage the use of IP in settings.

Migration

Migration of certificates will not pose any issues as long as:

  • Wildcard cert: domain matches the domain name of the previous self-signed certificate
  • Dedicated cert: Server name and domain matches the name of the previous self-signed certificate


If during migration the Server's Host Name and/or Domain Name changes, all MDM devices will lose MDM communication with the FileWave Server and require re-enrolment into MDM


CaseCurrent CertificateNew CertificateResult
Any certificate to any certificate (changing name)Self-signed cert = filewave.initech.comRoot trusted cert = fw.initech.comCHANGING THE FQDN WILL REQUIRE DEVICES TO BE ENROLLED AGAIN
Self-signed to root trusted (keeping same name)Self-signed cert = filewave.initech.comRoot trusted cert = filewave.initech.comThis will NOT require devices to be enrolled again
Self-signed to wildcardSelf-signed cert = filewave.initech.comWild Card cert = *.initech.comThis will NOT require devices to be enrolled again
Root trusted to root trustedRoot trusted cert = filewave.initech.comRoot trusted cert = filewave.initech.comThis will NOT require devices to be enrolled again

Procedure

There are 3 key steps. 

  1. Create a CSR and Key to request a certificate from a CA
  2. Create CRT files from the downloaded certificates
  3. Convert the certificate to p12 to upload to the FileWave Server


Renewing Certificates

When renewing a current expiring certificate with a CA, step 1 is not required. You will however require the key in step 3. If you have not stored the key elsewhere, the key should always be accessible on your current FileWave Server.

If you have not stored the key safely and the Server were to break such that the key was not retrievable, the whole process would need to be repeated instead.

Certificate Expiry

Certificate expiry should be avoided. Renewing certificates should be done in advance to maintain full working order.


Example process

For the example:

  • FileWave Server FQDN = fw.initech.com
  • Files will be saved to created folder Certificates
  • Certificate was purchased from AlphaSSL

Pre-requisite: OpenSSL.  Unix based systems have this by default.  To follow this process on Windows will require an appropriate version of OpenSSL

Step 1

Create the .CSR and .KEY from OpenSSL

From a command prompt type the following:

macOS and Unix

sudo openssl req -new -newkey rsa:2048 -nodes -keyout /certificates/fw.initech.com.key -out /certificates/fw.initech.com.csr

Windows

C:\OpenSSL-Win64\bin\openssl.exe req -new -newkey rsa:2048 -nodes -keyout C:\certificates\fw.initech.com.key -out C:\certificates\fw.initech.com.csr

You will be prompted for the following:

  • Country Name (2 letter code)
  • State or Province Name Locality Name (eg, city) 
  • Organization Name (eg, company) 
  • Organizational Unit Name (eg, section) 
  • Common Name (e.g. Server FQDN or YOUR name) 
  • Email Address 
  • A challenge password 
  • An optional company name

For this example the details should be:

  • Common Name: fw.initech.com
  • Do not enter a password

The Certificates folder should now show:

fw.initech.com.csr
fw.initech.com.key

The KEY should be held safely.  The CSR will need to be uploaded to the CA during the request of the certificate creation.  You should receive confirmation from the CA, regarding domain ownership and how to retrieve the generated certificate along with some general instructions.

Step 2

Create CRT files from the downloaded certificates

It is typical, that the SSL certificate will also require an intermediate certificate.  These should be readily available from the CA's website.  If required, contact the CA for details of which intermediate you will require.

Once the SSL and intermediate certificate have been downloaded, instructions can be followed to create the CRT files.  In the case of the email from AlphaSSL, only steps 1-4 should be followed.

Sample email from AlphaSSL.

These 2 CRT files can be copied to the Certificates folder from Step 1.

From the example:

  • SSL certificate: purchasedcert.crt
  • Intermediate certificate: AlphaSSLCA.crt

Certificates folder should now show:

AlphaSSLCAS.crt
fw.initech.com.csr
fw.initech.com.key
purchasedcert.crt
Step 3

Convert the certificate to p12 to upload to the FileWave Server

The necessary files are now available to create the p12.  From the command line type the following:

macOS/Linux

sudo openssl pkcs12 -export -out /certificates/fw.initech.p12 -inkey /certificates/fw.initech.key -in /certificates/purchasedcert.crt -certfile /certificates/AlphaSSLCA.crt

Windows

C:\OpenSSL-Win64\bin\openssl.exe pkcs12 -export -out C:\certificates\fw.initech.com.p12 -inkey C:\certificates\fw.initech.com.key -in C:\certificates\purchasedcert.crt -certfile C:\certificates\AlphaSSLCAS.crt

The p12 certificate can be uploaded to the Server through the Admin console: Preferences > Mobile Tab > HTTPS Certificate Management.  Once uploaded, check the 'Common Name' matches the 'Server name' in the same Tab.  For wildcard certificates, only the domain should match.

Apache web server service will automatically restart and the FileWave Server is now ready for MDM.

Command Overview


Explanation of openssl command

openssl pkcs12 #Create a p12 (also know as pkcs12)

-export -out /certificates/fw.initrode.us.p12 #Output location and name of p12 to upload to FileWave

-inkey /certificates/fw.initrode.us.key #Location and name of private key file used to generate the CSR

-in /certificates/purchasedcert.crt #Location and name of purchased certificate provided by the 3rd party supplier

-certfile /certificates/AlphaSSLCA.crt #Location and name of Intermediate certificate, (will often contain more than one cert)