Template:Secure Socket Layer Certification

Table of contents
No headers

Although the Zmanda Management Console is shipped with pre-packaged Apache SSL certificate to get you started, Zmanda recommends you purchase (or create your own self-signed) SSL certificates and distribute them to all the browsers from which you wish to access the ZMC. The pre-packaged certificates are not secure (as they are shared by all Zmanda customers). These generic certificates will also generate security warnings on some browser versions.

Zmanda recommends that you either 1) Create self-signed certificates and distribute them to all the client machines that require access to the ZMC, or 2) Distribute certificates from a recognized Certificate Authority. Option 1 (self-signed certificates) is free, and is adequate for most organizations that deploy ZMC servers and the machines that access them '''behind the same firewall'''.

If using a certificate from a recognized Certificate Authority, your browser will automatically create the secure connection with no errors or warnings.

If using a self-signed certificate, you must then deploy a mechanism to get the relevant browser(s) to accept this new root CA.  One method is to generate the certificate using a special format that can be directly imported by common web browsers, and then providing a link on a secure intranet for ZMC users to download (web browsers automatically display the import dialog if the file is in the correct format and sent by the intranet web server using the correct mimetype). PKCS12 (now part of OpenSSL, provides a mechanism to distribute self-signed private key certificates in a number formats recognized by different browsers.

Another approach is to manually add the new self-signed root CA to the root CA list of the client system, which will automatically provide access to the new CA for all web browsers on the client system.   This article covers the procedures for  doing this in a Microsoft Windows server environment.

For more details on certificate validation issues, see this article from OpenSSL.