This article will help you create and upload a root trusted certificate into FileWave.
It is recommended for all to now have a root trusted certificate in FileWave for the SSL Certificate Management section (Located in the General tab in the FileWave Preferences), wildcard certs are supported.
The FileWave Admin makes it is easy to determine whether you have a self-signed certificate or not. Simply log into the FileWave Admin, open the preferences, go to the General tab, and you will see in the SSL Certificate Management section the following line.
For versions of FileWave below 13.0, SSL Certificate Management is instead: Preferences > Mobile > HTTPS Certificate Management
If this is the case then you will still be able to enroll 10.3+ devices through DEP. But if the device is 10.3+ and you try a manual web enrollment (OTA) then you will get an error. You will have to use the steps linked here to resolve the error, alternatively if you have a root trusted certificate this error will not present itself. Also to be able to manage Chromebooks in your FileWave Server a root trusted certificate is required. That is the purpose of this article, to create that root trusted certificate.
Step 4 in the procedures below states that you need to purchase an SSL certificate from a Certificate Authority. This can be done from many different sites such as the few listed below:
- GlobalSign / AlphaSSL
- and many more...
Migrating certificates: If you currently have a self-signed certificate and you create a new root trusted certificate with the same name or wild card, all of your currently enrolled devices will be fine. But if you change the DNS name at all then devices currently enrolled will lose connection.
|Case||Current Certificate||New Certificate||Result|
|Any certificate to any certificate (changing name)||Self-signed cert = filewave.initrode.us||Root trusted cert = fw.initrode.us||CHANGING THE FQDN WILL REQUIRE DEVICES TO BE ENROLLED AGAIN|
|Self-signed to root trusted (keeping same name)||Self-signed cert = filewave.initrode.us||Root trusted cert = filewave.initrode.us||This will NOT require devices to be enrolled again|
|Self-signed to wildcard||Self-signed cert = filewave.initrode.us||Wild Card cert = *.initrode.us||This will NOT require devices to be enrolled again|
|Root trusted to root trusted||Root trusted cert = filewave.initrode.us||Root trusted cert = filewave.initrode.us||This will NOT require devices to be enrolled again|
Globally Signed Certificates
If you are using a certificate generated by a trusted CA be sure your client's operating system trusts the authority. Below are a few sites that may help in determining whether or not the CA you are purchasing a certificate through is trusted.
In this example, the DNS of my FileWave management server is fw.initrode.us and I made a folder called Certificates that I want to save the outputs to. AlphaSSL was used to purchase my SSL certificate.
If you are doing this on a windows device go to https://slproweb.com/products/Win32OpenSSL.html and download the appropriate version of OpenSSL for your environment.
CSR - Certificate Signing Request
Create the .CSR and .KEY from OpenSSL using any platform (macOS, WIN, or Linux)
- Open a command line:
Windows: Command Prompt (Be sure to run command prompt as administrator by right-click > run as administrator)
Type the following command:
- You will then go through a few questions below:
Country Name (2 letter code) State or Province Name Locality Name (eg, city) Organization Name (eg, company) Organizational Unit Name (eg, section) Common Name (e.g. server FQDN or YOUR name) Email Address A challenge password An optional company name
- You should now see a .CSR and .KEY file in the Certificates folder
Upload CSR and download certificates
- Go to your preferred Certificate Authority site to purchase a standard SSL certificate. In my case, Alpha SSL required me to upload the .CSR which was the output from the command I ran in step 2 .
- Once the purchase is complete and you authorized ownership (most sites will send an email to firstname.lastname@example.org or email@example.com to prove you own the domain) you will need to download the certificate they provide you or follow the instructions for download. In my case I got an email with the following instructions, which I will follow half of them.
I will follow the steps 1 - 4 because once I rename the text files to .CRT I can then use those in the next steps to convert my certificates into a .p12 which is needed to be uploaded in FileWave.
- From the email sent by Alpha SSL I saved the .CRT files in my /certificates folder that the .CSR and .KEY is saved from step 3 above.
Open a command line again and type the following command (run windows as administrator still):
You should now have the .p12 in your Certificates folder
Explanation of openssl command
openssl pkcs12 #you are making a p12 AKA pkcs12
-export -out /certificates/fw.initrode.us.p12 #save it as a p12 in this location
-inkey /certificates/fw.initrode.us.key #use the key file that was generated in the first command, the one that also made the CSR
-in /certificates/purchasedcert.crt #Bring in the cert you bought, the one the company gave you that has your sever name in it
-certfile /certificates/AlphaSSLCA.crt #bring in the chain, the certs that are between mine and the root CA for where I for my cert (will often contain more than one cert)
Get certificate into admin
- From there you will need to log into the FileWave Admin go to Preferences > Mobile
- Select Upload PKCS12 Certificate, type in your super user credentials, then find the .p12 we just saved, and click Open
- Apache will automatically restart and we are now done!
If you are renewing your root trusted certificate:
Failure to update your DEP profiles to have the new profile will cause trust issues at enrollment.
Re-create DEP profiles and associations as the DEP profile contains a copy of the certificate and is sent to Apple at association time ; a new certificate implies a new DEP profile.
Congratulations you have now uploaded a root trusted certificate into FileWave!