Skip to end of metadata
Go to start of metadata

This article will help you create and upload a root trusted certificate into FileWave.

It is recommended for all to now have a root trusted certificate in FileWave for the SSL Certificate Management section (Located in the General tab in the FileWave Preferences), wildcard certs are supported.

The FileWave Admin makes it is easy to determine whether you have a self-signed certificate or not. Simply log into the FileWave Admin, open the preferences, go to the General tab, and you will see in the SSL Certificate Management section the following line.

Certificate Management

For versions of FileWave below 13.0, SSL Certificate Management is instead: Preferences > Mobile > HTTPS Certificate Management



SS-HTTPStab

If this is the case then you will still be able to enroll 10.3+ devices through DEP. But if the device is 10.3+ and you try a manual web enrollment (OTA) then you will get an error. You will have to use the steps linked here to resolve the error, alternatively if you have a root trusted certificate this error will not present itself. Also to be able to manage Chromebooks in your FileWave Server a root trusted certificate is required. That is the purpose of this article, to create that root trusted certificate.

Step 4 in the procedures below states that you need to purchase an SSL certificate from a Certificate Authority. This can be done from many different sites such as the few listed below:

  • GoDaddy
  • Digicert
  • GlobalSign / AlphaSSL
  • Trustwave
  • and many more...
Note: If you currently have a wildcard certificate for your domain you can use that as well without having to purchase a new one.

A wildcard cert is a certificate that has not been made for a specific server. *.initech.com as opposed to a Server_Name.initech.com

Migrating certificates: If you currently have a self-signed certificate and you create a new root trusted certificate with the same name or wild card, all of your currently enrolled devices will be fine. But if you change the DNS name at all then devices currently enrolled will lose connection. 
Migration Examples:

CaseCurrent CertificateNew CertificateResult
Any certificate to any certificate (changing name)Self-signed cert = filewave.initech.comRoot trusted cert = fw.initech.comCHANGING THE FQDN WILL REQUIRE DEVICES TO BE ENROLLED AGAIN
Self-signed to root trusted (keeping same name)Self-signed cert = filewave.initech.comRoot trusted cert = filewave.initech.comThis will NOT require devices to be enrolled again
Self-signed to wildcardSelf-signed cert = filewave.initech.comWild Card cert = *.initech.comThis will NOT require devices to be enrolled again
Root trusted to root trustedRoot trusted cert = filewave.initech.comRoot trusted cert = filewave.initech.comThis will NOT require devices to be enrolled again


Globally Signed Certificates

If you are using a certificate generated by a trusted CA be sure your client's operating system trusts the authority. Below are a few sites that may help in determining whether or not the CA you are purchasing a certificate through is trusted. 

These are just examples of references you could use, it is up to you to investigate and determine what is trusted or not.

Procedure:

In this example, the DNS of my FileWave management server is fw.initech.com and I made a folder called Certificates that I want to save the outputs to. AlphaSSL was used to purchase my SSL certificate.
If you are doing this on a windows device go to https://slproweb.com/products/Win32OpenSSL.html and download the appropriate version of OpenSSL for your environment.

This is a sample of the AlphaSSL process, if you are using another CA then your steps may be different. Please refer to the CA's site for documentation on creating an SSL cert and making a p12


CSR - Certificate Signing Request 

Create the .CSR and .KEY from OpenSSL using any platform (macOS, WIN, or Linux)

  1. Open a command line:
    Linux/macOS: Terminal
    Windows: Command Prompt (Be sure to run command prompt as administrator by right-click > run as administrator)
  2. Type the following command:

    macOS
    sudo openssl req -new -newkey rsa:2048 -nodes -keyout /certificates/fw.initech.com.key -out /certificates/fw.initech.com.csr


    Windows
    C:\OpenSSL-Win64\bin\openssl.exe req -new -newkey rsa:2048 -nodes -keyout C:\certificates\fw.initech.com.key -out C:\certificates\fw.initech.com.csr
  3. You will then go through a few questions below:
    Country Name (2 letter code)
    State or Province Name
    Locality Name (eg, city)
    Organization Name (eg, company)
    Organizational Unit Name (eg, section)
    Common Name (e.g. server FQDN or YOUR name)
    Email Address
    A challenge password
    An optional company name
    	

    for common name enter your server name (e.g. fw.initech.com)
    Do not enter a password

      You should now see a .CSR and .KEY file in the Certificates folder

Upload CSR and download certificates 

  1. Go to your preferred Certificate Authority site to purchase a standard SSL certificate. In my case, Alpha SSL required me to upload the .CSR which was the output from the command I ran in step 2 .
  2. Once the purchase is complete and you authorized ownership (most sites will send an email to admin@initech.com or webmaster@initech.com to prove you own the domain) you will need to download the certificate they provide you or follow the instructions for download. In my case I got an email with the following instructions, which I will follow half of them.


    RTC-alphasslemail


    I will follow the steps 1 - 4 because once I rename the text files to .CRT I can then use those in the next steps to convert my certificates into a .p12 which is needed to be uploaded in FileWave.

  3. From the email sent by Alpha SSL I saved the .CRT files in my /certificates folder that the .CSR and .KEY is saved from step 3 above.


    RTC-certfolder

  4. Open a command line again and type the following command (run windows as administrator still):

    macOS
    sudo openssl pkcs12 -export -out /certificates/fw.initech.p12 -inkey /certificates/fw.initech.key -in /certificates/purchasedcert.crt -certfile /certificates/AlphaSSLCA.crt
    
    Windows
    C:\OpenSSL-Win64\bin\openssl.exe pkcs12 -export -out C:\certificates\fw.initech.com.p12 -inkey C:\certificates\fw.initech.com.key -in C:\certificates\purchasedcert.crt -certfile C:\certificates\AlphaSSLCAS.crt
    
    

You should now have the .p12 in your Certificates folder

Explanation of openssl command

openssl pkcs12 #you are making a p12 AKA pkcs12

-export -out /certificates/fw.initech.p12 #save it as a p12 in this location

-inkey /certificates/fw.initech.key #use the key file that was generated in the first command, the one that also made the CSR

-in /certificates/purchasedcert.crt #Bring in the cert you bought, the one the company gave you that has your sever name in it

-certfile /certificates/AlphaSSLCA.crt #bring in the chain, the certs that are between mine and the root CA for where I for my cert (will often contain more than one cert)



Get certificate into admin

  1. From there you will need to log into the FileWave Admin go to Preferences > Mobile
  2. Select Upload PKCS12 Certificate, type in your super user credentials, then find the .p12 we just saved, and click Open
  3. Apache will automatically restart and we are now done!


Renewing Cert

If you are renewing your root trusted certificate:


Re-create DEP profiles and associations as the DEP profile contains a copy of the certificate and is sent to Apple at association time ; a new certificate implies a new DEP profile.

Failure to update your DEP profiles to have the new profile will cause trust issues at enrollment.

Congratulations you have now uploaded a root trusted certificate into FileWave!