Using trusted server certificates with Acronis Access

This section explains how to configure Acronis Access with trusted server certificates. By default, Acronis Access will use a self-generated SSL certificate. Using a certificate signed by a trusted Certificate Authority will establish the identity of the server and allow browsers to connect without displaying a warning message that the server is untrusted.

Note: Acronis Access ships and installs with self-signed certificates for testing purposes. Production deployments should implement proper CA certificates.

Note: Certain web browsers will display warning messages when using self-signed certificates. Dismissing those messages allows the system to be used without problems. Using self-signed certificates for production conditions is not recommended.

Creating a Certificate Request

Note: Creating certificates is not and will never be a function of Acronis Access. This certificate request is in no way necessary for the operation of Acronis Access but it is required by Certificate vendors.

Generating a certificate request via IIS:

For more information on this procedure, please refer to the following Microsoft Knowledge Base article: http://technet.microsoft.com/en-us/library/cc732906(v=ws.10).aspx

Generating a certificate request via OpenSSL:

Note: For this guide you need to have OpenSSL installed.

Note: Contact your preferred certificate vendor for more information or help with this procedure.

To generate a pair of private key and public Certificate Signing Request (CSR) for the web server "AAServer":

  1. Open an elevated command prompt and enter the following command:

openssl req -new -nodes -keyout myserver.key -out AAServer.csr -newkey rsa:2048

This creates a two files. The file myserver.key contains a private key; do not disclose this file to anyone. Be sure to backup the private key, as there is no means to recover it should it be lost. The private key is used as input in the command to generate a Certificate Signing Request (CSR).

Note: In case you receive this error: WARNING: can't open config file: /usr/local/ssl/openssl.cnf run the following command: set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg change the path, depending on where you installed OpenSSL. After you have completed this procedure, attempt step 1 again.

  1. You will now be asked to enter details to be entered into your CSR. Use the name of the web server as Common Name (CN). If the domain name is mydomain.com append the domain to the hostname (use the fully qualified domain name).
  2. The fields email address, optional company name and challenge password can be left blank for a web server certificate.
  3. Your CSR will now have been created. Open the server.csr in a text editor and copy and paste the contents into the online enrollment form when requested by the certificate vendor.

Installing your certificate to your Windows certificate store

Requirements

The certificate you are using must contain it's private key. The certificate file must be in either the .PFX or .P12 format.

Installing your certificate to your Windows certificate store

  1. On the server, click Start, and then click Run.
  2. In the Open box, type mmc, and then click OK.
  3. On the File menu click Add/Remove snap-in.
  4. In the Add/Remove Snap-in dialog box, click Add.
  5. In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.
  6. In the Certificates snap-in dialog box, click Computer account (this is not selected by default), and then click Next.
  7. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
  8. In the Add Standalone Snap-in dialog box, click Close.
  9. In the Add/Remove Snap-in dialog box, click OK.
  10. In the left pane of the console, double-click Certificates (Local Computer).
  11. Right-click Personal, point to All Tasks, and then click Import.
  12. On the Welcome to the Certificate Import Wizard page, click Next.
  13. On the File to Import page, click Browse, locate your certificate file, and then click Next.

    Note: If you are importing a PFX file, you will need to change the file filter to “Personal Information Exchange (*.pfx, *.p12)” to display it.

  14. If the certificate has a password, type the password on the Password page, and then click Next.
  15. Check the following boxes:
    1. Mark this key as exportable
    2. Include all extended properties
  16. On the Certificate Store page, click Place all certificates in the following store, and then click Next.
  17. Click Finish, and then click OK to confirm that the import was successful.

All of the certificates successfully installed in the Windows Certificate Store will be available when using the Acronis Access Configuration Utility.

Configure Acronis Access to use your certificate

After you've successfully installed your certificate to your certificate store, you have to configure Acronis Access to use that certificate.

  1. Launch the Acronis Access Configuration Utility.

    Note: Located in C:\Program Files (x86)\Acronis\Access\Configuration Utility by default.

  2. Select your certificate from the Certificate selector on the Gateway Server and Access Server tabs.
  3. Click Apply.

The web services will restart and after about a minute they should be running with your certificate.

Using Intermediate certificates

If the Certificate Authority has issued you an Intermediate certificate along with your certificate, it must also be added to the Acronis Access Server through the Configuration Utility.

  1. Open the Configuration Utility and go to the Acronis Access Server tab.
  2. On the Certificate field select your certificate using the browse (...) button.
  3. On the Chain Certificate field, select your intermediate certificate using the plus (+) button.
  4. Press Apply or OK.

Note: This will restart the Acronis Access Tomcat service.