Thunderstone Search Appliance Manual

SSL/HTTPS Certificates

  This allows you to manage the server certificates provided by the Parametric Search Appliance when serving pages via HTTPS. The admin interface, including Webmin, and search will use the same certificate. By default the Parametric Search Appliance has a self-signed certificate. If you have multiple hosts you may need to regenerate the self-signed certificate before your browser will allow you to access the second host using HTTPS. If you want to use HTTPS for searches you'll want to obtain a secure certificate from a trusted authority so that end users don't get warnings in their browser.

If you're familiar with requesting and obtaining/creating secure certificates and have a key and certificate pair ready to install you can use the Enter a premade Private Key/Certificate pair option at the top of the Manage SSL/HTTPS Server Certificates page. You will be presented with 3 large input boxes where you can paste in your Private key, Certificate, and an optional Intermediate Certificate that may be provided by your certificate authority.

You can generate a self-signed certificate or a CSR that can be provided to a certificate authority to request a secure certificate by filling in the boxes on the Manage SSL/HTTPS Server Certificates page. If you just want a self-signed certificate to use for encryption but don't care about authoritativeness you can check Self sign and enter the number of days you want the certificate to be good for then click the Install Certificate button. If you selected Self sign then you're finished. Otherwise click the Generate CSR button to generate the CSR.

When generating a CSR you will be presented with a block of text beginning with -----BEGIN CERTIFICATE REQUEST----- and ending with -----END CERTIFICATE REQUEST-----. You need to send everything between, and including, those lines to your certificate authority. The certificate authority may ask what type of server you're using or what format of certificate you need. Tell them you need an Apache compatible certificate.

After the certificate authority has confirmed your CSR they will provide a similar but different block of text bracketed with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. Paste that entire block, including the BEGIN and END lines, into the New Certificate box. They may also provide an "Intermediate Certificate" that you would need to paste into the New Intermediate Certificate box. If they don't provide an Intermediate certificate leave the New Intermediate Certificate box empty.

Once you generate a CSR the certificate management page will only present the option of installing the new certificate(s) from that CSR. If you need to regenerate the CSR or want to abandon the old CSR for any reason click the `Cancel CSR` button on the certificate form.

You can click Download Pending Key to download the private key of the pending CSR, although this is unnecessary when signing a CSR. This can be used if you want to cancel the CSR, but still have the private key around in case you do actually sign that CSR later, and want to upload it as a pre-made cert and key.

If you have set the Parametric Search Appliance to require HTTPS admin and manage to install a certificate that you can't use or somehow prevents HTTPS access you can re-enable HTTP admin by going to the physical console of the Parametric Search Appliance and selecting the drop Admin restrictions (HTTPS,IP,Cipher requirements) option.