Configuring Trusted Certificates

Configure the following required (and optional) SSL certificates on each of the Civic Platform server:

av.biz

Required SSL Certificate for av.web

SSL Certificate for av.cfmx
Optional SSL Certificate for EDMS Server

SSL Certificate for External APO Servers

SSL Certificate for LDAP servers

Any others for secure web services

av.web

Required SSL Certificate for av.web

SSL Certificate for av.cfmx
Optional n/a

av.cfmx

Required SSL Certificate for av.web

SSL Certificate for av.cfmx
Optional n/a

av.arw

Required SSL Certificate for av.web

SSL Certificate for av.cfmx
Optional n/a

ads

Required SSL Certificate for av.web

SSL Certificate for av.cfmx
Optional n/a

Shortcuts

  • You can create an initial trusted_cacerts file with the SSL Certificates for av.web and av.cfmx and then copy them to av.biz/conf/certs, av.web/conf/certs, av.cfmx/conf/certs, av.arw/conf/certs/, and ads/conf/certs. You can then add any optional certificates to the trusted_cacerts file for Av.biz/conf/certs.

  • If an agency provides its own certificate of authenticity for signing internal SSL certificates then it must include all certificates in the certificate chain for each SSL certificate stored in trusted_cacerts.

 

Importing security certificates for HTTPS connections to the Biz server

The Civic Platform Biz server is installed with a self-signed certificate by default. For HTTPS connections from component IIS servers (such as Citizen Access, Mobile Office, Accela GIS, and Accela Gateway) to the Biz server, your agency can choose to either:

  • Use the default Biz server self-signed certificate, which must be imported to the trusted certificate store on the component IIS server(s).

  • Certificates that are to be added to the Civic Platform's Biz server must now also be registered in the applications Java KeyStore. See Administrator Guide > Appendix: Security Enhancements > TLS Compliance > Configuration for more information.

This procedure describes how to import the Biz server self-signed certificate to the Citizen Access IIS server's Trusted Certificate store. Perform this procedure on each server that needs to connect to the Biz server via https.
Note: If your agency is using a trusted domain certificate instead of the Biz server's self-signed certificate, perform a similar procedure for importing your agency’s trusted domain certificate to the Civic Platform Biz server and component IIS servers.
  1. Get the Citizen Access server URL from the web.config file on the Citizen Access server's IIS root folder, as shown below:



  2. On a web browser, go to the Citizen Access server URL. When the browser returns a security warning that the certificate cannot be verified, click Continue to this website…:



  3. Click Certificate Error next to the address bar, then click View certificates:



  4. On the Certificate window, click Install Certificate and click OK. If this options is not enabled, close IE and run it again as Administrator.



  5. Click Next, then on the Certificate Import Wizard window, select Place all certificates in the following store, and click Browse:

  6. Check the Show physical stores checkbox, expand Trusted Root Certificate Authorities, select Local Computer”, and click OK.

  7. Click Next, and then Finish to close the wizard.

  8. Go to the Citizen Access URL on the browser again to verify that the browser no longer returns a security warning.