Deploying Self-Signed Certificates

Admin Guide > APPENDICES > Appendix J: ICE Security > ICE Private Certificate Stores > Deploying Self-Signed Certificates

This section provides instructions for using self-signed certificates for ICE Desktop and Mobile users.

Rallypoints

Rallypoints use X.509 certificates for encryption, authentication, verification, and data creation. At minimum, a Rallypoint has a default certificate that it uses for all these purposes, but it is possible to use individual certificates for specialized purposes, e.g., connections to different RallyPoints (both within and external to an enterprise) can use different certificates.

Self-Signed Certificates for ICE Desktop

The ICE Desktop client supports the use of self-signed certificates by applying to the security context a root CA certificate file that was installed to the Windows certificate store. The root CA certificate must be in the .crt format.

Note: Other common certificate formats (for example .cer) are not supported. The entire certificate trust chain must be present in the root CA file, so, depending on how the server identity certificate was setup, one or more intermediate CA certificates may also be required, in addition to the root CA certificate.

To generate a self-signed certificate chain

1. In the ICE OS Configuration Wizard, navigate to the Server page.

2. Enable the Generate Self-Signed Certificate Chain option and then click Next.

3. In the Cluster Ingress Hostname field, enter a valid FQDN address that can be resolved by your DNS server.

4. Proceed to the Finish tab and click Install & Upgrade.

5. After completion, click the Status menu at top right and then click Certificates. The FQDN should appear with a green status under SANs. This confirms certificate generation success.

6. Use the following instructions to download the certificate.

A. Navigate to the Server Certificate tab.

B. Click Show Self-Signed Certificate Chain.

C. Download the cluster-generated Root CA certificate.

To download a certificate file

If the server has already generated certificates, use the following procedure to download them.

1. In the ICE OS Configuration Wizard, navigate to the Server Certificate page.

2. Click Show Self-Signed Certificate Chain.
The existing certificates appear.

3. Click the certificate you wish to download.
Download commences.

To install a CA file for ICE Desktop

1. Download the root CA certificate file to the host machine.

2. Right-click the file and select Install Certificates.

3. Select Open.

4. Select Install for current users.

5. Place the file in the Trusted Root Certification Authorities store.

6. Navigate to the certificate store: Certificates > Trusted Root Certification Authorities > Certificates.

7. Verify the certificate file is there.

8. Launch ICE Desktop. Log out, if necessary, then log in.

On login, the desktop client queries the installed root CA certificates (system and user) and applies them to the security context. If the root CA certificate and all intermediates are present, the client will successfully connect to the ICE Server.