Overview
For any web browser or a GFI LanGuard instance to seamlessly connect to the GFI LanGuard Central Management Server Console, the GFI LanGuard Central Management Console CA certificate needs to be trusted.
This article provides information on how to add the GFI LanGuard Central Management Console CA as a trusted Certificate Authority or replace the default certificate with your trusted certificate.
Solution
GFI LanGuard Central Management Server Console is accessed securely through HTTPS. This requires digital certificates for server authentication and communication encryption purposes.
By default, the Central Management Server uses a certificate issued during installation by a special-purpose Certificate Authority (CA) called GFI LanGuard Central Management Console CA. The web clients of GFI LanGuard Central Management Server Console are presented with a certificate chain consisting of:
- A self-signed CA certificate issued by GFI LanGuard Central Management Console CA
A certificate issued to the computer where the product is installed, having as subject the name of the computer
For any web browser or a LanGuard instance to seamlessly connect to the Central Management Server Console, the GFI LanGuard Central Management Console CA certificate needs to be trusted by the client computers. Alternatively, if you already have a trusted certificate, you can use it instead of the default certificate generated by GFI LanGuard.
Adding the CMS Console CA as Trusted Certificate Authority
The GFI LanGuard Central Management Console CA creates a single certificate during installation. This certificate is then permanently disabled and the CA cannot issue more certificates. This makes it safe to add this CA to the list of Trusted Certificate Authorities on client computers.
Download the CA certificate from the CMS Server and install it. below are the instructions for different browsers and OS.
Microsoft Internet Explorer, Google Chrome, and Opera on Microsoft Windows
- Open GFI LanGuard Central Management Server Console in your browser.
- When you receive the certificate error in the browser, select Continue to this website (not recommended).
- Enter the authentication credentials.
- From the top navigation menu click the Settings icon.
- Select HTTPS Certificate and click Download certificate. The following file will be downloaded to your computer:
root.cer
. - Locate the file and double-click to open.
- Click Install Certificate….
- In the Certificate Import Wizard, click Next.
- Select Place all certificates in the following store, then click Browse… and select Trusted Root Certification Authorities. Click OK.
- Click Next.
- Click Finish.
- Click OK. The CA certificate is now trusted.
Mozilla Firefox on any operating system
- Open GFI LanGuard Central Management Server Console in your browser.
- When you receive the certificate error in the browser, select I Understand the Risks then click Add Exception….
- In the Add Security Exception window, click Confirm Security Exception. This allows you to continue to the application.
- Enter the authentication credentials.
- From the top navigation menu click the Settings icon.
- Select HTTPS Certificate and click Download certificate. The following file will be downloaded to your computer:
root.pem
. - In Mozilla Firefox, go to Settings > Options > Advanced > Certificates > View Certificates > Authorities tab and click Import….
- Select the previously downloaded file
root.pem
. - Select Trust this CA to identify websites and click OK to complete the import.
Safari, Google Chrome, and Opera on Apple OS X
- Open GFI LanGuard Central Management Server Console in your browser.
- When you receive the certificate error in the browser, select Continue. This allows you to continue to the application.
- Key in the authentication credentials.
- From the top navigation menu click the Settings icon.
- Select HTTPS Certificate and click Download certificate. The following file will be downloaded to your computer:
root.p12
. - Open the downloaded file
root.p12
with Keychain Access. - Leave the Password field empty and select OK.
- Select Always Trust.
Using an Existing SSL Certificate in Central Management Server
GFI LanGuard Central Management Server can be configured to use existing SSL certificates. This allows you to leverage your existing trust infrastructure. Follow the steps below after installing GFI LanGuard Central Management Server:
NOTE: Ensure the hostname and FQDN should match on the certificate. Do not use a certificate for a different device.
- Open Internet Information Services Manager (IIS Manager).
- From the Connections tree, select your server.
- In the right pane, open Server Certificates.
- From the Actions menu, click Import….
- In the Import Certificate dialog, click ... to browse and locate the PFX file which contains your existing SSL certificate.
- If the certificate is password protected, key in the password and click OK.
- In the Connections tree, expand Sites and select GFI LanGuard Central Management Server Website.
- From the Actions menu, click Bindings…
- In the Site Bindings dialog, select https from the list and click Edit….
- In the SSL certificate field select your SSL certificate and click OK.
Ensure your existing SSL certificate is trusted on all machines where GFI LanGuard is installed since GFI LanGuard requires the certification chain to be trusted by the operating system.
Testing
Open GFI LanGuard Central Management Server Console in your browser and you should not see the certificate warnings.