Using trusted server certificates with Files Advanced

This section explains how to configure Files Advanced with trusted server certificates.

By default, Files Advanced provides self-generated SSL certificates for testing purposes. Using a certificate signed by a trusted Certificate Authority will establish the identity of the server and allow clients to connect without errors.

Note: Web browsers will display warning messages when using self-signed certificates. Dismissing those messages allows the system to be used for testing.

Using self-signed certificates for production deployments is not supported. Production deployments should implement proper CA certificates.

Creating a Certificate Request

Note: Creating certificates is not and will never be a function of Files Advanced. This certificate request is in no way necessary for the operation of Files Advanced but it is required by Certificate vendors.

Note: If prompted by your vendor to select a server type, choose IIS.The certificates must be installed in the Windows Certificate Store before Files Advanced can use them.

Generating a certificate request via IIS:

For more information on this procedure, please refer to the following Microsoft Knowledge Base article: http://technet.microsoft.com/en-us/library/cc732906(v=ws.10).aspx

Generating a certificate request via OpenSSL:

Note: For this guide you need to have OpenSSL installed.

Note: Contact your preferred certificate vendor for more information or help with this procedure.

To generate a pair of private key and public Certificate Signing Request (CSR) for the web server "AAServer":

1. Open an elevated command prompt and enter the following command:

openssl req -new -nodes -keyout myserver.key -out AAServer.csr -newkey rsa:2048

This creates a two files. The file myserver.key contains a private key; do not disclose this file to anyone. Be sure to backup the private key, as there is no means to recover it should it be lost. The private key is used as input in the command to generate a Certificate Signing Request (CSR).

Note: In case you receive this error: WARNING: can't open config file: /usr/local/ssl/openssl.cnf run the following command: set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg change the path, depending on where you installed OpenSSL. After you have completed this procedure, attempt step 1 again.

1. You will now be asked to enter details to be entered into your CSR. Use the name of the web server as Common Name (CN). If the domain name is mydomain.com append the domain to the hostname (use the fully qualified domain name).
2. The fields email address, optional company name and challenge password can be left blank for a web server certificate.
3. Your CSR will now have been created. Open the server.csr in a text editor and copy and paste the contents into the online enrollment form when requested by the certificate vendor.

Installing your certificate to the Windows certificate store

Requirements

The certificate you are using must contain it's private key. The certificate file must be in either the .PFX or .P12 format. It doesn't matter which one since they are interchangeable.

Note: If your Certificate Vendor provided you with a certificate and a key as two separate files, you can combine them into one .PFX file with the following command:

openssl pkcs12 -export -in <yourcertificate.extension> -inkey <yourkey.extension> -out <newfile.pfx>

e.g. openssl pkcs12 -export -in acmecert.crt -inkey acmecertkey.key -out acmecombined.pfx

This command requires OpenSSL to be installed.

Installing your certificate to the Windows certificate store

Note: If your Files Advanced and Gateway Servers are using different certificates, repeat these steps for both.

1. On the server, click Start, and then click Run.
2. In the Open box, type mmc, and then click OK.
3. On the File menu click Add/Remove snap-in.
4. In the Add/Remove Snap-in dialog box, click Add.
5. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
6. In the Certificates snap-in dialog box, click Computer account (this is not selected by default), and then click Next.
7. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
8. In the Add Standalone Snap-in dialog box, click Close.
9. In the Add/Remove Snap-in dialog box, click OK.
10. In the left pane of the console, double-click Certificates (Local Computer).
11. Right-click Personal, point to All Tasks, and then click Import.
12. On the Welcome to the Certificate Import Wizard page, click Next.
13. On the File to Import page, click Browse, locate your certificate file, and then click Next.

    Note: If you are importing a PFX file, you will need to change the file filter to “Personal Information Exchange (*.pfx, *.p12)” to display it.

14. If the certificate has a password, type the password on the Password page, and then click Next.
15. Check the following boxes:
    1. Mark this key as exportable
    2. Include all extended properties
16. On the Certificate Store page, click Place all certificates in the following store, and then click Next.
17. Click Finish, and then click OK to confirm that the import was successful.

All of the certificates successfully installed in the Windows Certificate Store will be available when using the Files Advanced Configuration Utility.

Configure Files Advanced to use your certificate

After you've successfully installed your certificate to the Windows certificate store, you have to configure Files Advanced to use that certificate.

1. Launch the Files Advanced Configuration Utility. There should be a shortcut in the Windows Start menu.

   Note: The Configuration Utility is located in C:\Program Files (x86)\Acronis\Files Advanced\Common\Configuration Utility by default.

2. On the Web Server tab, press the [...] button and select your certificate from the list.
3. On the Mobile Gateway tab, press the [...] button and select your certificate from the list.
4. Click Apply. This will restart the web services and after about a minute they should be back online and using your certificate. You can check to confirm they are serving the correct certificates.

Using Intermediate certificates

If the Certificate Authority has issued you an Intermediate certificate along with your certificate, it must also be added to the Files Advanced Server through the Configuration Utility.

Note: The Configuration Utility only searches in the Intermediate Certificates certificate store. If your certificate was installed in one of the other stores, open certmgr.msc and move your Intermediate certificate from the store it is in, to the Intermediate Certification Authorities -> Certificates store.

1. Launch the Files Advanced Configuration Utility. There should be a shortcut in the Windows Start menu.

   Note: The Configuration Utility is located in C:\Program Files (x86)\Acronis\Files Advanced\Common\Configuration Utility by default.

2. On the Web Server tab, press the [...] button and select your certificate from the list.
3. Press the plus (+) button next to the Chain Certificate field and select the intermediate certificate you wish to use from the list. If the desired certificate is not in the list, please check if it was properly installed and which store it was installed in.
4. On the Mobile Gateway tab, press the [...] button and select your certificate from the list. No additional steps are required for intermediate certificates.
5. Click Apply. This will restart the service and after it comes back online, you can check to confirm it is serving the selected certificates.