Certificates
Introduction
In this chapter, our primary focus will be on editing or renewing certificates through an ACME service, while also exploring the additional display options in the Certificate Issuance Status.
To access this menu, please follow these steps:
-
Go to the Extras section.
-
Select Certificate Issuance and Certificates.
The Certificate Issuance Status overview displays all issued certificates, including
-
ACME provider details, including the ACME provider URL.
-
The ACME account name is used for issuing the certificate.
-
The common name of the certificate, along with the status of the certification order.
Choose a certificate order and click .
The Certificate order assistant will open.
The input mask labeled Subject identifies the entity for which the certificate is issued. The distinguished name will be generated from the other fields of the Subject mask.
It is important to note that the inclusion of fields other than the common name in the issued certificate depends on the ACME provider's support for Domain Validation (DV), Organization Validation (OV), or Extended Validation (EV). The extent to which these fields are utilized can vary between providers. For more information about ZeroSSL and Let's Encrypt, please refer to their respective documentation or resources.
Click to proceed.
Subject alternative Names
The Subject Alternative Names (SANs) input field allows you to associate various values with a security certificate. You can later add hostnames or IP addresses for which the certificate is valid.
Click to add more hostnames or to modify existing entries.
We will now demonstrate how to add a Subject Alternative Name. To do this, click on .
Enter a subject alternative name.
The used Subject Alternative Names need to point to the machine where the certificate is generated because the ACME provider will send a challenge to those SANs. If even one of them doesn't work, the certificate cannot be issued.
Click on .
The input fields for Subject Alternative Names and Subject will be automatically adjusted by the assistant when input is provided in one of the fields.
Click to continue.
Certificate Renewal Settings
It's important to monitor certificate expiration dates and proactively renew certificates to avoid disruptions in secure communication. anynode provides easy certificate management with automation capabilities for continuous certificate updates. In this input mask you can configure if and when the certificate should be renewed.
The default setting in anynode is automatic certificate renewal 35 days before the certificate expires. You can customize this value, but please be mindful of your ACME provider's rate limits. Additionally, you have the option to disable automatic renewal entirely and manually renew the certificate through the ACME provider, which we will cover in the Renew Certificate chapter.
When the renewal time is reduced, it's possible that the anynode monitor may issue a warning about a certificate expiration for that certificate. You can configure this warning in the monitor settings under Extras > Monitor Settings > Certificates.
Click to proceed.
Key size & signing algorithm
The desired key length of the private key can be chosen. Larger key lengths are generally more secure but may take longer to generate. For signing, the choice of a signature algorithm is essential. For increased security, especially for certificates with a long lifespan or those used in critical applications, key lengths of 3072 bits or higher are recommended. The default value in anynode is 4096 bits.
Selecting a signature algorithm with the hash function SHA-1 increases compatibility with the remote station. However, other hash functions (e.g., SHA-256) are considered more secure. The recommended signature algorithm for a certificate is typically RSA with SHA-256, which is also the default value in anynode.
Please note that some ACME Providers no longer support SHA-1 due to its high vulnerability.
Click to proceed.
Extended Settings
You should use the ACME provider's default root certificate when it meets your trust and security needs. Enforcing an alternate root certificate is typically reserved for situations where you have specific trust, compliance, or control requirements that cannot be met by the default certificate chain. Your choice should align with your organization's security and trust policies.
Click to proceed.
HTTP Challenge
Select a web server connector on which HTTP challenges for the certificate order should be answered. You can also create a new connector or edit existing ones by clicking on the pen icon. For more information, refer to the ACME Challenge Connector chapter.
Click to proceed.
Name
Setting up a name will help you identify this order later in the certificate issuance status. The assistant will set the distinguished name of the certificate's subject to the name by default. In our example, we will accept it.
Click to close the assistant.
Everything configured through the upper anynode menu (web server connectors, backends, certificates) is always applied immediately when you close the window or complete the assistant. A is not required at this point.
Renew Certificate
It's important to monitor certificate expiration dates and proactively renew certificates to avoid disruptions in secure communication. anynode provides easy certificate management with automation capabilities for continuous certificate updates. If you have disabled the automatic renewal of the certificate or you changed the list of SANs, you can perform the renewal manually.
To access this menu, please follow these steps:
-
Go to the Extras section.
-
Select Certificate Issuance and Certificates
By selecting the certificate and clicking Renew Certificate, a modal will appear asking for confirmation.
Certificate renewals are typically subject to ACME provider rate limits. Please refer to the Rate Limits documentation at Let's Encrypt for further information.
Manual renewals are often triggered for testing purposes. In such cases, it is advisable to use the staging server of the respective ACME provider.
Confirm the modal with .
After renewing the certificate, the certificate issuance status should indicate that the order has been completed, the authorization is valid, and the challenge was successful.
Show Certificate
By double-clicking the certificate entry or clicking Show Certificate, you can access more information about the issued certificate.
When migrating your anynode to a new environment, you may need to download and install the certificate on the new environment. Regularly downloading and securely storing your certificates is a good practice for backup and disaster recovery scenarios. This ensures that you have a copy of your certificates in case of unexpected events.
Use the download options, if needed, by selecting or
Click on to get back to the overview.
Order new Certificate
By clicking , you can initiate the process to order a new certificate. The usage of the certificate issuance assistant is explained in the Configure existing Node with ACME and Create HTTPS Connector with ACME chapters.
Remove Certificate
The button deletes only the ordered certificate, not the ACME Services or the ACME Challenge Connector.