Add Trust with a Certificate Authority (CA)

In general, it is preferable to use a certificate that has been signed by a globally trusted root Certificate Authority (CA). There are many CAs that are trusted by all major browser and operating systems that can be used to sign certificates for use with a https server.

If the system architecture makes using a globally trusted CA impractical then it is still possible to have client browsers and operating systems set up to trust a self-signed certificate and avoid security errors or showing warnings to end users.

One way is to simply add the certificate to the trust store of the client browser or operating system, however this would need to be done for each certificate generated. A better approach is to create your own root Certificate Authority and use that to sign each server certificate.

To do this, a self-signed SSL certificate needs to be signed with your own Certificate Authority (CA) certificate and key. And the clients (browsers, operating systems) need to be told to trust the CA certificate. The instructions for adding a CA to a client vary by operating system or browser used.

Create a Certificate Authority

There are many ways to create CA certificates, however, the OpenSSL toolkit is one of the easiest and most comprehensive. As the name suggests, OpenSSL is an open source toolkit for SSL/TLS; see the official website for details. You will need to download and install the OpenSSL product that suits your environment.

To create a CA there are two steps:

Generate new key and certificate request.
Self-sign the request to generate a CA certificate.

1. Generate new key and certificate request

This can be done in multiple steps, or generated from an existing key file, but for simplicity a new key and new request can be generated in one command. The example below shows how to create a request for a company named 'My Company'. Change this to something more appropriate for your organisation:

openssl req -new -sha256 -nodes -newkey rsa:4096 -subj '/O=My Company/CN=My Company Internal CA' -keyout MyCompanyCA.key -out MyCompanyCA.csr

2. Self-sign the request to generate a CA certificate

This step self-signs the CA certificate request, and makes the CA valid for 1 year (-days 365). Change 'MyCompany' to match the key and csr request generated in the previous step:

openssl x509 -req -sha256 -in MyCompanyCA.csr -signkey MyCompanyCA.key -days 365 -out MyCompanyCA.crt

Create a server certificate and use the CA to sign it

Now that the MyCompanyCA.crt is generated, it can be used to sign your own certificates for a cloud server or WebEA.

First, similarly to Self-Signed SSL Certificates, create a new certificate request. The following example creates a new key and certificate request for a server named 'cloud.mycompany.com':

openssl req -new -nodes -newkey rsa:4096 -subj '/CN=cloud.mycompany.com' -keyout cloud.mycompany.com.key -out cloud.mycompany.com.csr

Sign the new certificate request with the CA:

openssl x509 -req -CA MyCompanyCA.crt -CAkey MyCompanyCA.key -CAcreateserial -sha256 -days 365 -in cloud.mycompany.com.csr -out cloud.mycompany.com.crt

The final step for use with a Pro Cloud Server is to concatenate the key and certificate into a 'server.pem' file:

Windows: copy /b cloud.mycompany.com.crt+cloud.mycompany.com.key server.pem
Linux: cat cloud.mycompany.com.crt cloud.mycompany.com.key > server.pem

Allow clients to trust the root CA

The client operating system or browser now needs to have the CA certificate added to its list of trusted CAs. The instructions vary by operating system and browser but instructions for a few major clients are listed below. For all these steps the 'certificate' referred to is the 'MyCompanyCA.crt' generated in Step 2 above:

Client (Operating System, Browser)	Instructions	See also
Microsoft Windows	Right click the CA certificate file and select 'Install Certificate'. Follow the prompts to add the certificate to the trust store either for the current user only or all users of the computer.
Linux - Ubuntu	Copy CA cetificate to /usr/local/share/ca-certificates eg: sudo cp ~/MyCompanyCA.crt /usr/local/share/ca-certificates/ Update certificates with the following command: sudo update-ca-certificates The output should show something similar to 'Adding debian:~/MyCompanyCA.pem'. If using Wine then close all Wine programs and restart Wine: wineserver -k See Ubuntu Help for more information.
Firefox	Firefox does not use the operating systems trust store so the CA needs to be added manually. If the certificate has a '.pem' extension, then the simplest way is to drag-and-drop the CA certificate file onto Firefox and a prompt will ask to trust the certificate. Otherwise, manually add certificates and manage added certificates through Firefox's Privacy & Security preferences. More information can be found on the Firefox wiki
Chrome/Chromium	Chrome & Chromium do not use the operating system trust store so the CA needs to be added manually. Open Settings > Advanced > Manage Certificates > Authorities, and select Import.
Internet Explorer	Internet Explorer uses the Windows trust store so adding the certificate to Windows (see above) is sufficient to add trust to the browser as well.
WebEA	WebEA uses PHP/curl to communicate with a Pro Cloud model. If the connection between PHP and the Pro Cloud uses HTTPS, then the CA can be added to PHP's configuration to allow it to trust the certificate.	Advanced SSL

This website uses cookies
We use cookies to improve your experience on our website. Rejecting it may weaken protection and affect site loading speed. You can visit our Privacy Policy page for more information and adjust your cookie settings. Preferences
Your privacy Strictly necessary cookies Tracking and Performance Cookies More information Your privacy is important to us Cookies are very small text files that are stored on your computer when you visit a website. We use cookies for a variety of purposes and to enhance your online experience on our website (for example, to remember your account login details). You can change your preferences and decline certain types of cookies to be stored on your computer while browsing our website. You can also remove any cookies already stored on your computer, but keep in mind that deleting cookies may prevent you from using parts of our website. Strictly necessary cookies These cookies are essential to provide you with services available through our website and to enable you to use certain features of our website. Without these cookies, we cannot provide you certain services on our website. If you close the banner without making a selection, the 'Accept Minimum' option will be automatically applied to ensure basic functionality of the website. Tracking and performance cookies These cookies are used to collect information to analyze the traffic to our website and how visitors are using our website. For example, these cookies may track things such as how long you spend on the website or the pages you visit which helps us to understand how we can improve our website site for you. The information collected through these tracking and performance cookies do not identify any individual visitor. More information For any queries in relation to our policy on cookies and your choices, please contact us.

Please note : This help page is not for the latest version of Enterprise Architect. The latest help can be found here.

Add Trust with a Certificate Authority (CA)

Create a Certificate Authority

1. Generate new key and certificate request

2. Self-sign the request to generate a CA certificate

Create a server certificate and use the CA to sign it

Allow clients to trust the root CA

This website uses cookies

Your privacy is important to us

Strictly necessary cookies

Tracking and performance cookies

More information