Secure Global Desktop Administration Guide > Security > Sharing web server and Secure Global Desktop server certificates

Sharing web server and Secure Global Desktop server certificates

Read this topic to...
Learn how to share an X.509 certificate between a web server and a Secure Global Desktop server on the same host.

How you share an X.509 certificate between a web server and Secure Global Desktop, depends on whether or not you are using the Secure Global Desktop Web Server.

Sharing a Secure Global Desktop server certificate with the Secure Global Desktop Web Server

The configuration file (/opt/tarantella/webserver/apache/apache_version/conf/httpd.conf) for the Secure Global Desktop Web Server is pre-configured to use the same certificates as the Secure Global Desktop server. These are installed in the /opt/tarantella/var/tsp directory. So to share a Secure Global Desktop server certificate with the Secure Global Desktop Web Server:

Obtain and install an X.509 certificate for use with Secure Global Desktop security services.
Enable secure (HTTPS) connections to the Secure Global Desktop Web Server with the tarantella webserver restart --ssl command.
Enable secure connections to the Secure Global Desktop server with the tarantella security start command.

Sharing a certificate for your own web server with a Secure Global Desktop server

If you are using your own web server instead of the Secure Global Desktop Web Server and you want to share its certificate with a Secure Global Desktop server, you have to decrypt the certificate's key and then install it on the Secure Global Desktop server.

Note If your web server doesn't let you access the key or the key was not originally encrypted by a product that uses SSLeay or OpenSSL certificate libraries, you must obtain and install a separate X.509 certificate.

To share a certificate:

Copy the web server certificate and key file to a safe place that can only be accessed by root, for example:

cp /usr/local/apache/certs/boston.indigo-insurance.com.pem /opt/tarantella/var/tsp/
cp /usr/local/apache/certs/boston.indigo-insurance.com.key.pem /opt/tarantella/var/tsp/

Use the tarantella security decryptkey command to decrypt the certificate's key, for example:

tarantella security decryptkey  \
  --enckey /opt/tarantella/var/tsp/boston.indigo-insurance.com.key.pem \
  --deckey /opt/tarantella/var/tsp/boston.indigo-insurance.com.key.out \
  --format PEM

Use the tarantella security certuse command to install the X.509 certificate using the decrypted key file, for example:

tarantella security certuse
  --certfile /opt/tarantella/var/tsp/boston.indigo-insurance.com.pem
  --keyfile /opt/tarantella/var/tsp/boston.indigo-insurance.com.key.out

Enable secure connections to the Secure Global Desktop server with the tarantella security start command.

Profile configuration

Once you enable secure connections to a web server, the URL in the client profile must be re-configured to an HTTPS URL.

Related topics
What are X.509 certificates and why do I need one? Can I use an X.509 certificate for another product with Secure Global Desktop? Securing the SOAP connections to a Secure Global Desktop server