MiCollab web server certificate and internal PKI

[jdfoxmicro]

Hello,

We have a network with all hard-wired, domain-joined computers.  Users connect to the MiCollab web server with their browsers.  With MAS 2.1, I was able to generate a CSR in the web configuration interface, use that to get a certificate from our internal CA, and then upload the certificate. All the domain computers automatically trust certificates issued by our internal CA, so this worked well for us.

We upgraded to MiCollab 8.0 a few months ago.  The certificate stayed in place.  Now it's time to renew, but I can't. I generated the CSR, got the certificate from my CA, and then tried uploading the Certificate (under Security, Web Server in the menu). MiCollab says I have to include an Intermediate certificate.  We don't have one.  We have a very simple PKI; it's a Windows enterprise root CA that we use to sign certificates directly.  It's secure enough, and we use it for convenience to avoid errors without having to pay for certificates. So, I tried uploading the root CA certificate as the Intermediate, but it says "An invalid intermediate web server certificate file was provided on the certificate installation form."

I don't see anywhere to upload a trusted root CA, or any other options.  I'm stuck.

People have said in other threads that you have to use a known third-party CA if you don't use self-signed.  Is that correct?  Does MiCollab insist on trusting the CA that I choose to have my client computers trust?  If so, that would be a bad design decision, because it's irrelevant, and prevents me from using a free certificate from my own PKI.  If not, does anyone have a suggestion how to get around this?  I don't want to dig into MSL if I don't have to.  I suppose I could use self-signed and push it to all the workstations as trusted via Group Policies, but that's not an elegant solution.

Thank you.

[dilkie]

you ran into the PCI compliance work... they don't accept private certificate authorities for security audits.

However, all is not lost. You *can* add your root ca certificate to msl's trust store and then you'll be able to import a server certificate signed by that root.

The UI for this is available in msl 10.6/mbg 10.1 but likely you aren't there so you'll have to do it manually.

I don't have the procedure handy but you can call mitel support and they will give it to you.

[VinceWhirlwind]

I was at a complete impasse on resolving this with one customer's Windows admin until they handed the problem over to a different Windows admin who managed to figure out how to do it.
This video helped me improve my understanding of the process from about 1% to about 20%:
https://www.youtube.com/watch?v=driCePBlXvo
 
Despite that, the whole certificate thing remains mostly a mystery to me, I'm just glad the Windows guy figured it out.

[jdfoxmicro]

dilkie, thanks for validating my suspicion.  It would be nice if they had a simple option for it not to evaluate the trust of the certificate you're uploading, even with a warning, if they want, that it might invalidate compliance standards.

VinceWhirlwind, thanks for the video, but to be clear, this is about a different issue, and that is how to constructed an intermediate certificate that is signed by a trusted public CA.

[lowradiation]

MiCollab 8.0 has the Let's Encrypt service built-in now.
Have you tried using it?

[Dogbreath]

+1 for LE cert, I had this deployed in less than 5 minutes.

[jdfoxmicro]

MiCollab 8.0 has the Let's Encrypt service built-in now.
Have you tried using it?

Yes, I tried Let's Encrypt.  It failed the challenge, because my MiCollab isn't accessible via the Internet.

[jdfoxmicro]

Thank you, everyone, for your input.

I logged into to the SSH shell as root and appended our internal root CA certificate to /etc/pki/tls/certs/ca-bundle.crt.  I tried the certificate installation again in the web interface, and it worked.