The Administration > Client Access page is used to configure the HTTPS certificate and DNS name that all clients use to connect to the system. HTTPS must be configured and maintained in order to provide a secure connection between UIP and its clients. Only secure TLS 1.2 connections will be accepted after HTTPS has been configured. HTTP connection attempts will be redirected to HTTPS after a certificate has been configured.
Certificates issued by widely-trusted certificate authorities expire after 397 days (13 months) so they must be updated annually. Administrators should include this in their annual maintenance planning for the UIP system.
Users will need to reload the website in order for their web browser to start using an updated certificate.
If you are configuring HTTPS access for the first time or you are changing the system name, access to the system will be interrupted for several minutes while all of its services are reconfigured and restarted. During this time you will be redirected to a maintenance page. From there, users will be able to access the system using its new URL after all of the services have finished restarting.
If a certificate and its corresponding private key are uploaded to the Client Access page they can be used to enable HTTPS client connections.
It is recommended, but not required, to also upload the intermediate Certificate Authority (CA) certificates in the host certificate's chain of trust. Doing so will help ensure that clients will trust connections to this system.
The certificate(s) and private key can be uploaded as a single file or multiple files. All uploaded file(s) must use the Base64 encoded PEM format.
The first and last lines of the server certificate and CA certificates will be the following:
-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
If the certificate authority provided a binary DER format certificate it can be converted into PEM format using the following OpenSSL command.
# Convert DER binary format certificate to PEM format openssl x509 -inform DER -in certificate.der -outform PEM -out certificate.pem
If the certificate authority provided a binary PFX format certificate it can be converted into PEM format using the following OpenSSL command.
# Extract certificate, private key, and CA chain from PFX (requires password used to create PFX; remove Bag Attributes from output file before attempting to use with UIP) openssl pkcs12 -in certificate.pfx -nodes -out certificate.pem
The uploaded certificate must not be expired. To check the validity dates of the certificate and plan for its future replacement date run the following OpenSSL command.
# Display the Valid From and Valid To time when certificate is valid openssl x509 -noout -startdate -enddate -in certificate.pem
The client access system name must be listed within the Subject Alternative Name (SAN) X.509 extension of the HTTPS Certificate explicitly or by wildcard. Run the following OpenSSL command to display the SAN extension of the certificate.
# Display the x.509 Subject Alternative Name of certificate openssl x509 -noout -ext subjectAltName -in certificate.pem
The private key of the server certificate must also be provided. Only one private key should be uploaded. The first and last lines of the private key file will be similar to the following, but may vary slightly depending on the type of private key and the tools that were used to create it.
-----BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----
If you have a PKCS8 format "ENCRYPTED" private key it will need to be converted to PKCS1 format. It can be converted using the following OpenSSL command.
# Convert PKCS8 private key to PKCS1 (requires password used to encrypt source file) openssl pkcs8 -in private-pkcs8.key -traditional -out private.key
The system name is what users type into their web browser to access the system. When an HTTPS Certificate is configured the system name choices will be limited selections which are compatible with the uploaded certificate. If the certificate contains a wildcard a field will be displayed for specifying the wildcard portion of the name.
The chosen name must resolve back to the IP address of the host machine. The IP address of the UIP host machine should be reserved/fixed so that it does not change without notice. UIP will test to validate that its containers can resolve the specified name back to the systems configured IP address. If the application indicates that it cannot verify your chosen name you may need to follow the System Requirements > Configure DNS Servers instructions.
If you are configuring your system on an IaaS platform or in a network environment where the external DNS name (system name) does not match the local host name, this page will check the system name by using ICMP. ICMP must be allowed through any external firewalls or proxies in to the UIP instance while saving this page.