SSL Certificates

This article covers issues and solutions with SSL certificates (website certificates) that are needed for secure communication in web.

SSL (Secure Sockets Layer) is a protocol that establishes a secure connection between a web server and a browser. It uses a small data file, known as an SSL certificate, which binds a cryptographic key to an organization's details. This enables secure transactions, data transfers, and logins by encrypting the communication, ensuring that sensitive information remains confidential and protected from interception.

As a customer you typically face with SSL-certificates when the browser warns that the website is not secure

or you are the one who tracks the SSL expiration date and wants to ensure that your LMS will work without the interruption or with the limited access and check the certificate expiration date in the browser by clicking the icon before the website address:

and navigating to the certificate,

where you can check the issue date and the expiration date of your certificate:

It’s better to keep track of SSL expiration date (you or your IT should do this internally) in order to be able to update it in a timely manner and avoid the situation when the browser will show that your website is not secure.

IMC does not issue SSL certificates. SSL certificate is being issued for your domain(s). Your IT department or the person who manages the domain should have access to the tools that allow to make a new certificate. IMC updates the certificate for the domain used by LMS but does not issue a new certificate.

Below you will find info on how to deal with SSL certificate issues and will find out how to make sure that you have provided the data IMC needs for updating the SSL certificate.

Ways of Providing certificates to IMC

There are three common ways of providing certificates to IMC. IMC’s hosting department can generate a CSR File that you can use for certificate generation, or you can upload the certificate in PFX format including a private key or specifying a password. You can also provide a certificate with the private key.

CSR (Certificate Signing Request) File

A CSR file is the file that’s being generated by IMC’s hosting department. It provides all the information needed for a certificate generation on customer’s side.
Example of CSR file (contents):

Usually, customers contact the support team through a Service Desk Request ticket and request to provide CSR file in order to generate a new certificate.

Make sure to specify for which System/domain the certificate is needed and provide appropriate links to them (STAGE, PROD, DEV, etc). One certificate can be used for several systems, like for the domain and subdomains (wildcard certificate), or each system may require a separate certificate. It depends on initial setup of your systems.

Support team requests the CSR file from the hosting department and provides it to the customer. After that the customer (IT department of the customer or appropriate specialist) uses this CSR file for certificate generation.

We strongly recommend that you check a newly generated certificate and make sure that it has a correct validity period and the domain. In Windows systems you can simply click on .cer file, open it and check appropriate information:

The customer sends a new certificate file (usually in .cer format), support team forwards it to the hosting team that places the updated certificate on a server. After that the certificate is installed and its validity can be checked directly in a browser:

You may use the same CSR file that was used for generating an old certificate if changes in CSR are not needed. In this case you can go ahead and generate a new certificate with the old CSR file (if you have one) if nothing was changed.

We are referring to the following fields that do not change if you simply updating the expired certificate:

• Country (C)

• State or Province Name (ST)

• Locality (L)

• Organization Name (O)

• Common Name (CN)

• Root Length

• Signature Algorithm

• Country (C)

• State or Province Name (ST)

• Locality (L)

• Organization Name (O)

• Common Name (CN)

• Root Length

• Signature Algorithm

PFX (Personal Information Exchange) file

Providing a certificate in PFX format is another way of providing the updated certificate. This way of providing the certificate can be considered as faster because you do not need to contact support team that contacts hosting team in order to get a CSR file required for a certificate generation. At the same time, it is less secure as you need to provide a password for PFX file. You can simply provide a certificate in PFX format along with the password and our hosting team will update the certificate on the server. The PFX file should be generated by your IT administrator or appropriate person who manages domains/certificates in your organization.

Make sure to specify for which System/domain the certificate is needed and provide appropriate links to them (STAGE, PROD, DEV, etc). One certificate can be used for several systems, like for the domain/subdomains (wildcard certificate), or each system may require a separate certificate. It depends on initial setup of your systems.

We strongly recommend that you check a newly generated certificate and make sure that it has a correct validity period and a correct domain. In Windows/Linux/macOS you can check the file with the Keystore Explorer software, open the PFX file with appropriate password and check the appropriate information:

After placing a new certificate to the server by our hosting team the validity of the certificate can be checked directly via browser:

Certificate files with private keys

In this case the customer (customer’s IT department or appropriate person) provides certificate files with the private keys required for this certificate to the support team via Service Desk request ticket. After that the request is being forwarded to the hosting team, who´s responsible for the installation of updated certificates. Typically, customers send several files in a zipped file. The structure/file names can be different, however at least one file should contain a certificate and another file should have a private key.

Examples of files inside a zip file:

Typically, a file with the certificate and with the private key can be opened in a text editor that allows to make sure that we have required set of files. The file with the certificate should start with BEGIN CERTIFICATE section or something similar,

while the file with the Private key typically should start with BEGIN PRIVATE KEY or something similar (begin RSA private key, etc):

We strongly recommend that you check a newly generated certificate and make sure that it has a correct validity period and domain. In Windows/Linux/macOS you can check a file with the certificate using the Keystore Explorer software, open the appropriate file with the certificate and check its data:

Typical issues with certificates

• SSL certificate is expired, and the browser shows appropriate warning:

  

  You can check the SSL expiration date directly in the browser using the info we specified at the beginning of this article.

• A new certificate works on a Prod system where the certificate was updated recently but does not work on a Stage/Dev/QA system. Such issue may happen if one certificate was issued for the domain and subdomain, however, the customer did not inform us that it should be updated on both systems. Specifying appropriate information when making a Service Desk request will help to avoid this issue.

• Mixing up certificates. The customer may provide certificates for each domain (for example, for Prod and Stage systems), but they can refer both to one domain. Checking the domain name of each certificate will mitigate a risk of having such issue.

• Providing a PFX file without a password. A PFX file is not usable without a password. You can submit a PFX file to Service Desk with the question on how you can securely send a password and appropriate information will be provided in the reply.

• The certificate was generated for wrong domain name/system. Please check a new certificate and make sure that it has a correct domain name and expiration date. Sometimes collision occurs due to mixing up Prod, Stage, Dev, QA, etc systems.

• Contacting IMC to generate an updated certificate. IMC will provide an info required for the certificate generation (CSR file), but IMC does not update or prolong certificates. Such actions are done by the domain administrator. Usually, customer’s IT department or appropriate person in their organization does that. What IMC does, is placing the updated certificate to the server managed by IMC (cloud systems). So, the customer should generate a new certificate, provide it in the Service Desk and the certificate will be updated by our hosting team.

  Contacting IMC to update certificate for On-Premise customers (managed by customers). IMC does not have access to On-Premise servers, such servers are often managed by IT departments of appropriate organizations.

Summary: SSL (Secure Sockets Layer) protocol ensures secure web connections through encryption using SSL certificates for your LMS website/domain.

• SSL certificates encrypt communication for secure transactions, data transfers, and logins.

• It's crucial to track SSL expiration dates to update certificates promptly and avoid security warnings.

• Three ways to provide SSL certificates to IMC: CSR File, PFX file with a password, or certificate files with private keys.

• Common issues include expired certificates, failing to specify domains, where certificates should be updated, and providing PFX files without passwords.

• IMC does not issue SSL certificates, but updates them on servers, requiring customers to generate and provide new certificates.

• Contact IMC via Service Desk ticket if you have questions or to provide new/updated certificates