GroupWise Certificate Guide

Within the GroupWise product family there are numerous requirements and configurations in order to secure the components with Certificates. Most of the services, by default, use self-signed certificates. This is no longer a recommended practice, and it is generally more desirable to use certificates from trusted 3rd party certificate vendors. Across the GroupWise product line there are many different configurations and controls for the certificate implementation. Depending on the service, the implementation will vary. And in many cases, the format and file requirements for the certificates may vary by service. This guide covers how to implement 3rd party SSL certificates across the various products and services related to GroupWise.

GroupWise Web (GWWEB) SSL Certificates

Certificate Format

From the certificate vendor, you typically choose "Apache" format. This typically provides a file with the extension .crt. They also provide their own chain certificates as well in the same format.

Required Files

Requires two files, the Certificate and the Private Key file.

Certificate file: server.crt
Key file: server.key

Note: For GWWEB, the actual names as listed above are required. They are not sample names or placeholders.

Key File Password Status

Key file should NOT have a password.

Command Line to run GWWEB and load SSL certificates:

docker run -d --rm -v /opt/novell/gw:/etc/nginx/gw --name gwweb -e FQDN=webacc.acme.com -e DNS_SERVER=192.168.1.5 -p 80:80 -p 443:443 -v /opt/novell/gw/certs:/certs mfgroupwise/web:latest

For a more detailed discussion about GWWEB, refer to my GWWEB guide here.

Required Files

You must have 2 files in the /opt/novell/gw/certs folder:

/opt/novell/gw/certs/server.crt
- Obtained from the certificate vendor, it could be named a number of things.
- Copy the certificate file to /opt/novell/gw/certs and rename to server.crt.
/opt/novell/gw/certs/server.key
- This file was created when you created the Certificate Signing Request, or CSR.
- Copy the key file to /opt/novell/gw/certs and rename to server.key.

Intermediate CA Cert (Incomplete Certificate Chain)

Your certificate chain will most likely be incomplete because there is no directive in the command line to load an Intermediate or Chain certificate. To overcome this obstacle, you concatenate the certificate file and the intermediate certificate file into the same server.crt certificate. The following command will accomplish this task:

cat My_CA_Bundle.ca-bundle >> /opt/novell/gw/certs/server.crt

Note: Substitute the actual intermediate or chain certificate from your commercial certificate provider in place of the bundle file listed in the syntax.