10.2. Correctly Creating Certificates

10.2.1. The Computer Name

The name (or IP) entered into the web browser, email program, etc. to access the server must correspond exactly with the computer name (CN) in the certificate. This means that if the Intra2net system is to be accessed e.g. via the computer names intra.net.lan and myintra.dyndns.org, you need 2 different certificates.

The Intra2net system thus allows the configuration of one certificate for the internal interface and another for the Internet interface.

In order for the computer name verification to function consistently, the Intra2net system must be accessible by all clients in the local network under its configured DNS name. Hence, it is important to pay attention to Section 9.4, „Domain and DNS“ and test whether the Intra2net system can be reached by clients in the local network under its full name (including domain).

We advise against storing an IP address as a computer name in the certificate.

10.2.2. Configuration

Open the System > Keys > Own Keys page and create a new key. The name does not matter, but it would be sensible to use the computer name.

At the time of writing, institutions such as the BSI and the German Bundesnetzagentur recommend a key length of 2048 bits and SHA2-256 as a signature algorithm (see algorithm catalogue of the Bundesnetzagentur).

In the field Computer name (CN) enter the computer name (see above). All other fields can either be left blank or filled in as desired.

Once the key has been created, it can be used under System > Web Interface > Security. For SSL Server key (local connections) select the key for connections to the local network. For SSL Server key (Internet connections) select the key for connections to the Internet.