To communicate with devices, a certificate is required. Recommendation is a root trusted SSL certificate is implemented. If you are currently using a self-signed certificate, we suggest moving to a trusted root certificate; wildcard certificates are supported.
Since Filewave v12+, the Admin console indicates when a certificate is self-signed; Preferences > Mobile tab > HTTPS Certificate Management
iOS 10.3+ devices can be enrolled with a self-signed certificate. Over the Air (OTA) though will experience warnings or errors; Self Signed Certificate Errors.
Root trusted SSL certificates can be purchased from a Certificate Authority (CA). Apple provide lists of trusted root certificates: https://support.apple.com/en-gb/HT204132
CA Vendors include:
- GlobalSign / AlphaSSL
- and many more...
As FileWave supports wildcard certificates, if you already have a wildcard certificate this could be uploaded without additional purchase. Wildcard certificates are indicate by a * before the domain name. e.g..
- Wildcard cert: *.initech.com
- Dedicated cert: filewave.initech.com
Obtaining an official 3rd party root trusted SSL certificate will be dependent upon the Server's current domain. Only a domain that includes an official 'Top Level Domain' (TLD) may qualify for a root trusted SSL certificate and the root domain must be registered to purchase a certificate. Where the Server uses an internal only domain, it is not possible to transition to an official certificate without first changing the domain where the Server belongs. See migration below. Example TLD:
In the context of a Website, the root domain refers to the highest level of hierarchy, e.g apple.com, microsoft.com, google.com
- demo.filewave.ch is a Fully Qualified Domain Name (FQDN) of a server called 'demo' in the root domain 'filewave.ch', the TLD being 'ch'.
- demo.filewave.local does not have a TLD and instead is using a private internal domain of '.local'. Without a TLD they are known as a Partially Qualified Domain Name (PQDN)
Often the term FQDN is used as a way to indicate the idea of writing the Server name along with its connected domain. Strictly speaking, with internal private only domains, this should be referred to as PQDN. Not only does FileWave recommend using a FQDN, but regardless of using a FQDN or PQDN, always specify the Server name along with its connected domain name (rather than just host name) when setting any preferences, be that for Server, Clients, Boosters, etc. We also discourage the use of IP in settings.
Migration of certificates will not pose any issues as long as:
- Wildcard cert: domain matches the domain name of the previous self-signed certificate
- Dedicated cert: Server name and domain matches the name of the previous self-signed certificate
If during migration the Server's Host Name and/or Domain Name changes, all MDM devices will lose MDM communication with the FileWave Server and require re-enrolment into MDM
|Case||Current Certificate||New Certificate||Result|
|Any certificate to any certificate (changing name)||Self-signed cert = filewave.initech.com||Root trusted cert = fw.initech.com||CHANGING THE FQDN WILL REQUIRE DEVICES TO BE ENROLLED AGAIN|
|Self-signed to root trusted (keeping same name)||Self-signed cert = filewave.initech.com||Root trusted cert = filewave.initech.com||This will NOT require devices to be enrolled again|
|Self-signed to wildcard||Self-signed cert = filewave.initech.com||Wild Card cert = *.initech.com||This will NOT require devices to be enrolled again|
|Root trusted to root trusted||Root trusted cert = filewave.initech.com||Root trusted cert = filewave.initech.com||This will NOT require devices to be enrolled again|
There are 3 key steps.
- Create a CSR and Key to request a certificate from a CA
- Create CRT files from the downloaded certificates
- Convert the certificate to p12 to upload to the FileWave Server
When renewing a current expiring certificate with a CA, step 1 is not required. You will however require the key in step 3. If you have not stored the key elsewhere, the key should always be accessible on your current FileWave Server.
If you have not stored the key safely and the Server were to break such that the key was not retrievable, the whole process would need to be repeated instead.
Certificate expiry should be avoided. Renewing certificates should be done in advance to maintain full working order.
For the example:
- FileWave Server FQDN = fw.initech.com
- Files will be saved to created folder Certificates
- Certificate was purchased from AlphaSSL
Pre-requisite: OpenSSL. Unix based systems have this by default. To follow this process on Windows will require an appropriate version of OpenSSL
Create the .CSR and .KEY from OpenSSL
From a command prompt type the following:
macOS and Unix
You will be prompted for the following:
- Country Name (2 letter code)
- State or Province Name Locality Name (eg, city)
- Organization Name (eg, company)
- Organizational Unit Name (eg, section)
- Common Name (e.g. Server FQDN or YOUR name)
- Email Address
- A challenge password
- An optional company name
For this example the details should be:
- Common Name: fw.initech.com
- Do not enter a password
The Certificates folder should now show:
The KEY should be held safely. The CSR will need to be uploaded to the CA during the request of the certificate creation. You should receive confirmation from the CA, regarding domain ownership and how to retrieve the generated certificate along with some general instructions.
Create CRT files from the downloaded certificates
It is typical, that the SSL certificate will also require an intermediate certificate. These should be readily available from the CA's website. If required, contact the CA for details of which intermediate you will require.
Once the SSL and intermediate certificate have been downloaded, instructions can be followed to create the CRT files. In the case of the email from AlphaSSL, only steps 1-4 should be followed.
Sample email from AlphaSSL.
These 2 CRT files can be copied to the Certificates folder from Step 1.
From the example:
- SSL certificate: purchasedcert.crt
- Intermediate certificate: AlphaSSLCA.crt
Certificates folder should now show:
Convert the certificate to p12 to upload to the FileWave Server
The necessary files are now available to create the p12. From the command line type the following:
The p12 certificate can be uploaded to the Server through the Admin console: Preferences > Mobile Tab > HTTPS Certificate Management. Once uploaded, check the 'Common Name' matches the 'Server name' in the same Tab. For wildcard certificates, only the domain should match.
Apache web server service will automatically restart and the FileWave Server is now ready for MDM.
Explanation of openssl command
openssl pkcs12 #Create a p12 (also know as pkcs12)
-export -out /certificates/fw.initrode.us.p12 #Output location and name of p12 to upload to FileWave
-inkey /certificates/fw.initrode.us.key #Location and name of private key file used to generate the CSR
-in /certificates/purchasedcert.crt #Location and name of purchased certificate provided by the 3rd party supplier
-certfile /certificates/AlphaSSLCA.crt #Location and name of Intermediate certificate, (will often contain more than one cert)