xx

Certificates

Introduction

In this chapter, our primary focus will be on editing or renewing certificates through an ACME service, while also exploring the additional display options in the Certificate Issuance Status.

To access this menu, please follow these steps:

  • Go to the Extras section.

  • Select Certificate Issuance and Certificates.

Screenshot: anynode frontend with extras menu and access to the certificate issuance status via certificate issuance and certificates. Screenshot: anynode frontend with extras menu and access to the certificate issuance status via certificate issuance and certificates.
anynode frontend with extras menu and access to the certificate issuance status via certificate issuance and certificates.

The Certificate Issuance Status overview displays all issued certificates, including

  • ACME provider details, including the ACME provider URL.

  • The ACME account name is used for issuing the certificate.

  • The common name of the certificate, along with the status of the certification order.

Choose a certificate order and click Edit.

Screenshot: anynode certificate issuance status overview with certificate order from Let's Encrypt and ZeroSSL. Screenshot: anynode certificate issuance status overview with certificate order from Let's Encrypt and ZeroSSL.
anynode certificate issuance status overview with certificate order from Let's Encrypt and ZeroSSL.

The Certificate order assistant will open.

The input mask labeled Subject identifies the entity for which the certificate is issued. The distinguished name will be generated from the other fields of the Subject mask.

It is important to note that the inclusion of fields other than the common name in the issued certificate depends on the ACME provider's support for Domain Validation (DV), Organization Validation (OV), or Extended Validation (EV). The extent to which these fields are utilized can vary between providers. For more information about ZeroSSL and Let's Encrypt, please refer to their respective documentation or resources.

Click Next to proceed.

Screenshot: anynode certificate order assistant with certificate subject settings. Screenshot: anynode certificate order assistant with certificate subject settings.
anynode certificate order assistant with certificate subject settings.

Subject alternative Names

The Subject Alternative Names (SANs) input field allows you to associate various values with a security certificate. You can later add hostnames or IP addresses for which the certificate is valid.

Click Add to add more hostnames or Edit to modify existing entries.

We will now demonstrate how to add a Subject Alternative Name. To do this, click on Add.

Screenshot: anynode certificate order assistant with certificate subject settings. Screenshot: anynode certificate order assistant with certificate subject settings.
anynode certificate order assistant with certificate subject settings.

Enter a subject alternative name.

The used Subject Alternative Names need to point to the machine where the certificate is generated because the ACME provider will send a challenge to those SANs. If even one of them doesn't work, the certificate cannot be issued.

Click on Ok.

The input fields for Subject Alternative Names and Subject will be automatically adjusted by the assistant when input is provided in one of the fields.

Click Next to continue.

Screenshot: anynode certificate order assistant with input field for a subject alternative name. Screenshot: anynode certificate order assistant with input field for a subject alternative name.
anynode certificate order assistant with input field for a subject alternative name.

Certificate Renewal Settings

It's important to monitor certificate expiration dates and proactively renew certificates to avoid disruptions in secure communication. anynode provides easy certificate management with automation capabilities for continuous certificate updates. In this input mask you can configure if and when the certificate should be renewed.

The default setting in anynode is automatic certificate renewal 35 days before the certificate expires. You can customize this value, but please be mindful of your ACME provider's rate limits. Additionally, you have the option to disable automatic renewal entirely and manually renew the certificate through the ACME provider, which we will cover in the Renew Certificate chapter.

When the renewal time is reduced, it's possible that the anynode monitor may issue a warning about a certificate expiration for that certificate. You can configure this warning in the monitor settings under Extras > Monitor Settings > Certificates.

Click Next to proceed.

Screenshot: anynode certificate order assistant with certificate renewal configuration. Screenshot: anynode certificate order assistant with certificate renewal configuration.
anynode certificate order assistant with certificate renewal configuration.

Key size & signing algorithm

The desired key length of the private key can be chosen. Larger key lengths are generally more secure but may take longer to generate. For signing, the choice of a signature algorithm is essential. For increased security, especially for certificates with a long lifespan or those used in critical applications, key lengths of 3072 bits or higher are recommended. The default value in anynode is 4096 bits.

Selecting a signature algorithm with the hash function SHA-1 increases compatibility with the remote station. However, other hash functions (e.g., SHA-256) are considered more secure. The recommended signature algorithm for a certificate is typically RSA with SHA-256, which is also the default value in anynode.

Please note that some ACME Providers no longer support SHA-1 due to its high vulnerability.

Click Next to proceed.

Screenshot: anynode certificate order assistant with choice of key size and signing algorithm. Screenshot: anynode certificate order assistant with choice of key size and signing algorithm.
anynode certificate order assistant with choice of key size and signing algorithm.

Extended Settings

You should use the ACME provider's default root certificate when it meets your trust and security needs. Enforcing an alternate root certificate is typically reserved for situations where you have specific trust, compliance, or control requirements that cannot be met by the default certificate chain. Your choice should align with your organization's security and trust policies.

Click Next to proceed.

Screenshot: anynode certificate order assistant with extended settings for order execution. Screenshot: anynode certificate order assistant with extended settings for order execution.
anynode certificate order assistant with extended settings for order execution.

HTTP Challenge

Select a web server connector on which HTTP challenges for the certificate order should be answered. You can also create a new connector or edit existing ones by clicking on the pen icon. For more information, refer to the ACME Challenge Connector chapter.

Click Next to proceed.

Screenshot: anynode certificate order assistant with preparations for the HTTP challenge. Screenshot: anynode certificate order assistant with preparations for the HTTP challenge.
anynode certificate order assistant with preparations for the HTTP challenge.

Name

Setting up a name will help you identify this order later in the certificate issuance status. The assistant will set the distinguished name of the certificate's subject to the name by default. In our example, we will accept it.

Click Finish to close the assistant.

Everything configured through the upper anynode menu (web server connectors, backends, certificates) is always applied immediately when you close the window or complete the assistant. A Commit is not required at this point.

Screenshot: anynode certificate order assistant with name setting to identify the order. Screenshot: anynode certificate order assistant with name setting to identify the order.
anynode certificate order assistant with name setting to identify the order.

Renew Certificate

It's important to monitor certificate expiration dates and proactively renew certificates to avoid disruptions in secure communication. anynode provides easy certificate management with automation capabilities for continuous certificate updates. If you have disabled the automatic renewal of the certificate or you changed the list of SANs, you can perform the renewal manually.

To access this menu, please follow these steps:

  • Go to the Extras section.

  • Select Certificate Issuance and Certificates

By selecting the certificate and clicking Renew Certificate, a modal will appear asking for confirmation.

Certificate renewals are typically subject to ACME provider rate limits. Please refer to the Rate Limits documentation at Let's Encrypt for further information.

Manual renewals are often triggered for testing purposes. In such cases, it is advisable to use the staging server of the respective ACME provider.

Confirm the modal with Yes.

Screenshot: anynode certificate issuance status with renew certificate function. Screenshot: anynode certificate issuance status with renew certificate function.
anynode certificate issuance status with renew certificate function.

After renewing the certificate, the certificate issuance status should indicate that the order has been completed, the authorization is valid, and the challenge was successful.

Screenshot: anynode certificate issuance status with successful certificate renewal. Screenshot: anynode certificate issuance status with successful certificate renewal.
anynode certificate issuance status with successful certificate renewal.

Show Certificate

By double-clicking the certificate entry or clicking Show Certificate, you can access more information about the issued certificate.

When migrating your anynode to a new environment, you may need to download and install the certificate on the new environment. Regularly downloading and securely storing your certificates is a good practice for backup and disaster recovery scenarios. This ensures that you have a copy of your certificates in case of unexpected events.

Use the download options, if needed, by selecting Download (PEM) or Download (DER).

Click on Close to get back to the overview.

Screenshot: anynode certificate issuance status with details and download function. Screenshot: anynode certificate issuance status with details and download function.
anynode certificate issuance status with details and download function.

Order new Certificate

By clicking Add, you can initiate the process to order a new certificate. The usage of the certificate issuance assistant is explained in the Configure existing Node with ACME and Create HTTPS Connector with ACME chapters.

Remove Certificate

The Remove button deletes only the ordered certificate, not the ACME Services or the ACME Challenge Connector.