Personal dashboard: Certificate Storage

Note

This dashboard section can be accessed by users with Admin or Technical role only. The settings can be edited by users with Technical role only.

The Certificate Storage contains TLS certificates available for your account, and it allows you to install these certificates for specific domains and services.

Before you start working with certificates

To start using TLS encryption on domain or services, you need to take two steps:

  1. Adding a certificate to the certificate storage

    In the Certificate storage section of your dashboard, you can add a certificate to the system by generating it with Let's Encrypt or downloading ready-made files from another source. You can do the same with Qrator API methods. The added certificate does not become activated automatically; it becomes available for installation for any of the account's domains and services; see the next step.

  2. Installing a certificate for a domain or service

    Installing a certificate means setting up a match between the certificate and the specific domain name for which the certificate will be used. A certificate can be installed in the Certificate Storage section, under TLS for the domain or service. You can also use Qrator API methods.

    When installing a certificate, you specify which domain names it will be used for. You can also select the Default Host option. A certificate installed with this option will be used when a user makes a request to a domain name for which no certificate is assigned. Each domain or service for which certificates are installed must have one certificate with the Default Host option.

View list of certificates

Certificates added to the certificate storage are displayed in the Active certificates table. The table has the following columns:

  • ID β€” Unique numeric identifier of the certificate in Qrator Labs.
  • Expires β€” Certificate expiration date. If the certificate has already expired, this field will be highlighted in color.
  • Type β€” Certificate origin: Loaded or Let's Encrypt.
  • Subject β€” Domain names for which the certificate is valid, as well as a link to view certificate details.

If a certificate is installed on one or more resources (domains or services), the following additional information will be shown for it:

  • Resources - Links to TLS for managing installed certificates. Links in different lines lead to the settings of different domains or services.
  • Hostname - Information about which domain names this certificate is used for. Each line can be a specific domain name or a default hostname line; see Before you start working with certificates.

Above the table there are filter fields that you can use to find certificates that contain the required values in the Subject, Hostname and Resources fields.

View certificate details

To see brief details about a certificate:

  1. Go to Certificate storage.

  2. Find the line with the certificate whose brief details you want to view and click Show certificate details.

The appearing dialogue will contain the following fields:

  • ID β€” the unique numerical identifier for the certificate in the Certificate storage.
  • Type β€” the origin of the certificate: Upload or Let's Encrypt.
  • Subject β€” the domain name(s) the certificate is valid for.
  • Not valid before, Not valid after β€” the start and the end date of the certificate validity period.

The certificate may contain one or several chains. If there is more than one chain, you can switch between the chains using radio buttons with the corresponding encryption algorithm names on them. For each chain the following data is displayed::

  • Private key encryption β€” the cryptographic algorithm used for the private key.
  • Private key size β€” the private key size in bytes.
  • SHA-256 Fingerprint, SHA-1 Fingerprint β€” the public key fingerprints.
  • Certificate chain β€” the whole chain in PEM format. You can copy the full text with the button.
  • Private key β€” the private key in PEM format. You can copy the full text with the button. This field is not displayed if the private key is hidden.

To see complete details about a certificate:

  1. Go to Certificate storage.

  2. Find the line with the certificate whose complete details you want to view and click it.

The appearing dialogue will contain the following fields:

  • ID β€” the unique numerical identifier for the certificate in the Certificate storage.
  • Type β€” the origin of the certificate: Upload or Let's Encrypt.
  • Subject β€” the domain name(s) the certificate is valid for.
  • Resources β€” the ID and name of a domain or a service for which the certificate is installed. Displayed only for installed certificates.
  • Certificate auto-renewal β€” shows whether the certificate is renewed automatically or not. Displayed only for Let's Encrypt certificates issued via Personal dashboard.
  • Not valid before, Not valid after β€” the start and the end date of the certificate validity period.

The certificate may contain one or several chains. If there is more than one chain, you can switch between the chains using radio buttons with the corresponding encryption algorithm names on them. For each chain the following data is displayed::

  • Private key encryption β€” the cryptographic algorithm used for the private key.
  • Private key size β€” the private key size in bytes.
  • SHA-256 Fingerprint, SHA-1 Fingerprint β€” the public key fingerprints.
  • Certificate chain β€” the whole chain in PEM format. You can copy the full text with the button.
  • Private key β€” the private key in PEM format. You can copy the full text with the button. This field is not displayed if the private key is hidden.

If a certificate is installed for one or more domains or services, they'll be shown on this page as a list. Next to each domain or service is information showing the domain names the certificate is used for. Each line can be a specific domain name or a Default Host line. Click on the name of the domain or service to manage all certificates installed for it at TLS.

Issue Let's Encrypt certificate

Qrator Labs allows you to issue a new certificate for your domain name directly from your dashboard. This is made possible thanks to Let's Encrypt integration.

  1. Make sure that the domain name is already added in the settings of the service you are going to use it for. Otherwise, Qrator Labs will not be able to prove the control over the domain during the challenge for Let's Encrypt.

  2. Go to Certificate storage and click Add certificate.

    On the page that opens, select Use Let's Encrypt. Click Next.

  3. Specify information to complete the HTTP-01 challenge validation for Let's Encrypt:

    • Select a domain or service on your account that already has Qrator Labs reverse HTTP proxy or BGP configured,
    • Enter one or more domain names for which a certificate should be issued.

    The reverse proxy on the Qrator Labs side will automatically fulfill the necessary requirements to pass the validation. No additional configuration on your part is required for this.

    Click the Generate Certificate button.

  4. Wait for the Let's Encrypt server to complete checking the request. If the process takes a long time, you can close the tab and return to the process later; see View or delete incomplete actions.

    If the validation fails, you will see a message describing the error. If necessary, contact Qrator Labs technical support to find out the cause of the problem.

  5. Before adding a certificate to the certificate storage, you'll see a confirmation screen where you can view the details about the certificate you're adding.

    Information about chain:

    • Not valid before, Not valid after β€” Beginning and end of certificate validity period.
    • Chain length β€” Number of certificates in the chain, not counting the last one.

    Information about each public key:

    • Subject β€” Information about the certificate scope.
    • Not valid before, Not valid after β€” Beginning and end of key validity period.
    • SHA-1, SHA-256 β€” Public key fingerprints.

    To complete the action, click Add to certificate storage.

    Note that adding a certificate does not make it automatically installed and active. See details in Before you start working with certificates.

Upload certificate

Use this method if you've already generated a TLS certificate through some service or by yourself.

  1. Go to Certificate storage and click Add certificate.

    On the page that opens, the Upload certificate tab will be automatically selected.

  2. Specify the files you want to upload. To do this, click the icon and select files from the system dialog box or just drag them to the page.

    The list of files selected for upload will be shown in a special confirmation dialog box. In this box, you can:

    • click Delete to cancel uploading a specific file selected in error,
    • click Delete All to clear the list of files,
    • click to select additional files.

    Make sure that the file set you provide contains both the public keys or their public key chains and their corresponding private keys.

    X.509 certificates in PEM format are supported. Supported container formats are pem, cer, crt, der, p7b, p7c, p12. All or part of the file set can be uploaded as an archive in one of the following formats: tar, tar.gz, tar.bz2, zip, 7z.

  3. Click Upload and wait for the files to be processed. If the process takes a long time, you can close the tab and return to the process at a later time; see View or delete incomplete actions.

  4. If the file set provided contains multiple certificates or multiple possible chains for a single certificate, you will see all available options. (This step is automatically skipped if the file set contains only one certificate and one chain.)

    Select the certificate and chain you want using the Previous and Next links.

    Click Install to go to the next step.

  5. Before adding a certificate to the certificate storage, you'll see a confirmation screen where you can view the details of the certificate you're adding.

    Information about chain:

    • Not valid before, Not valid after β€” Beginning and end of certificate validity period.
    • Chain length - Number of certificates in the chain, not counting the last one.
    • Self-signed - Shows whether the certificate is self-signed.
    • Trusted CA - Shows whether the chain contains a certificate signed by a trusted CA.

    Information about each public key:

    • Subject β€” Information about the certificate scope.
    • Not valid before, Not valid after β€” Beginning and end of key validity period.
    • SHA-1, SHA-256 β€” Public key fingerprints.

    To complete the action, click Add to certificate storage.

    Note that adding a certificate does not make it automatically installed and active. See details in Before you start working with certificates.

    Note

    If the downloaded file set contains multiple certificates, then after adding you can close the dialog box and go back to the previous step to add another certificate from the set to the certificate storage.

View or delete incomplete actions

There are two kinds of incomplete actions that could occur when adding a certificate:

  • Pending requests.

    When a request to add a certificate has been initiated but not yet completed Let's Encrypt server check or Qrator Labs server processing, that request is displayed under the Pending tab. If there are no requests in your account marked as pending, the tab will not be displayed.

  • Processed requests

    When the automatic check is already completed, this request is displayed under the Processed tab. If there are no requests in your account marked as processed, the tab will not be displayed.

To go to an incomplete action:

  1. Go to Certificate storage. Open the Pending or Processed tab.

  2. Click the action you're interested in.

    Then you can continue adding the certificate from the same place where Let's Encrypt server check or Qrator Labs server processing was initiated.

To cancel an action:

  1. Go to Certificate storage. Open the Pending or Processed tab.

  2. Find the action you want to undo and click next to it.

  3. In the confirmation dialog box, click Delete.

Install certificate for a domain or service

As described in Before you start working with certificates, installation requires a certificate already added to the Certificate storage.

To install a certificate:

  1. Go to Certificate storage.

  2. Find the line with the certificate you want to install and click it.

  3. Click Install certificate.

  4. In the dialog box that appears, select Resource - the domain or service on your account for which you want to install the certificate.

    Click Next.

  5. Specify which domain names the certificate should be used for.

    • If the certificate should be used for one or several known domain names, list them in the text area. Add a comma, a whitespace or use a new line after adding each domain name.

    • If you want to add the certificate before specifying any domain name, or add a domain name which doesn't have any other certificates installed for it, enable Use as default for any hostnames option.

    Press Install.

    Warning

    If a domain or a service has at least one certificate installed for any specific hostname it should also have a certificate for a default hostname installed.

Enable or disable auto-renewal

Qrator Labs can perform auto-renewal for Let's Encrypt certificates that were issued through the dashboard; see Automatic certificate issuance. This feature is enabled by default for each such certificate.

To disable or re-enable this feature:

  1. Go to Certificate storage.

  2. Find the line with the required Let's Encrypt certificate and click it.

  3. Next to the Certificate auto-renewal field, click Disable auto-renewal or Enable auto-renewal. In the dialog box that appears, confirm your action.

Hide certificate private key

By default, any user included into a group with the Certificate Section policy can view full details of any certificate, including its private key. Depending on who is in your team, this may be undesirable from a security point of view. Therefore, Qrator Labs allows you to permanently hide the contents of a particular certificate's private key from your personal dashboard, without affecting the certificate's functionality.

To hide the contents of a private key from your dashboard:

  1. Go to Certificate storage.

  2. Find the line with the certificate whose private key you want to hide and click it.

  3. Next to the Private key field, click Protect private key. In the dialog box that appears, confirm your action.

Delete certificate

  1. Go to Certificate storage.

  2. Find the line with the certificate you want to delete and click it.

  3. At the top of the page that opens, click Delete.

    If the certificate is installed on domains or services, a message will appear telling you that you cannot delete the certificate. In this case, go to the settings of the respective domains or services and disable the certificate, then start deleting it again.

  4. In the dialog box that appears, confirm the action by clicking Delete.

expand_less