Wildcard SSL Certificate Installation

Barracuda SPAM Firewall

Chad Markley

11/04/2010

Contents
Using OpenSSL to Extract PFX Contents and Cuda Cert Installation........................................................2
Barracuda KB Article................................................................................................................................4
Using OpenSSL to Extract PFX Contents and Cuda Cert Installation
(Portions of text used from this post @ Cycure)

PFX : PFX defines a file format commonly used to store private with accompanying public key
certificates, protected with a password-based symmetric key (standard-PKCS12).

PEM : Openssl usages PEM (Privacy Enhanced Mail Certificate) to store the private key.
If you have the openssl then go to command promt and run the following commands (If not, download it
from openssl, you can either download binary or source and then compile).

You MUST complete all steps!

1. Download and install OpenSSL for Windows

o Download and install the C++ Client for Windows
o Download the “full installer” for Windows (Current version 1.0.0a

2. You should have the PFX file that you extracted from the IIS server you created it on. Put the PFX
file in the \bin subdirectory under the OpenSSL install directory.

3. Extract the private key from a pfx file and write it to PEM file
openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem

4. Extract the certificate file (the signed public key) from the pfx file
openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem

5. Remove the password from the private key file. (This is required as, at the time of exporting
privateKey, you have added a password to the private key to secure it)
openssl.exe rsa -in privateKey.pem -out private.pem

6. Log into your Barracuda and access Advanced  Secure Administration

7. Change the “SSL Certificate Configuration” to “Trusted”

8. Browse to the “public” PEM file you exported and add it to the first box. Then browse to the
“private” PEM file you created via the process in step 5 and add it to the second box.

9. Then select “Upload Certificate Information”

Barracuda KB Article

Scope:
This solution applies to all Barracuda Networks products, all firmware versions.

Answer:
Wildcard certificates are domain-level certificates. A regular SSL certificate will be limited to a specific
hostname, but a wildcard certificate works for every hostname within a domain (which is why it's called a
wildcard certificate). These can be distinguished from regular certifcates by looking at the hostname on
the certificate. If the hostname begins with an asterisk, the certificate is a wildcard certificate.

In order to upload a wildcard certificate to the Barracuda unit, you will first need to upload a copy of the
private key that is associated with the wildcard certificate. The Barracuda unit will otherwise reject the
certificate as invalid. If the certificate is being pulled from a Windows workstation or server, the private key
and certificate may be combined into a single PFX file, in which case they need to be extracted. You can
do this using the OpenSSL utility, but you are unable, you can call Barracuda Networks Technical Support
for assistance.

Once you have both the certificate and the private key in the X.509 format (each in their own file), you can
upload them in one of two ways.
1. The first and easiest way is to go to the Advanced > SSL or Advanced > Secure
Administration page, and first upload the RSA private key using the Upload Backup SSL
Private Key field. Then, once that has been uploaded, upload the certificate using the Upload
Signed Certificate field. To begin using the certificate and key you've uploaded, select Trusted
(Signed by a trusted CA) as the Certificate Type after you uploading the certificate, and click
Save Changes.
2. The alternate method is to open a new text file and paste both the certificate and the RSA private
key into that file, RSA private key first, and upload that file. The file should look like this when you
are finished:
-----BEGIN RSA PRIVATE KEY-----
(the private key, several lines of indecipherable text with no spaces)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(the signed certificate, several lines of indecipherable text with no spaces)
-----END CERTIFICATE-----

If you need to add any intermediate certificates, you should paste them in the same file, after the
RSA private key and the signed certificate. Save the file, and upload it using the Upload Signed
Certificate form on the Advanced > SSL or Advanced > Secure Administration page. To begin
using the certificate and key you've uploaded, select Trusted (Signed by a trusted CA) as the
Certificate Type after uploading the certificate, and click Save Changes.

Link to This Page:

http://www.barracuda.com/kb?id=50160000000GHEe