Configuring Safetica to sign its network communication with a company’s root digital certificate

To learn more about how certificates work in Safetica, refer to article Overview of digital certificate use in Safetica. This guide explains how you can prepare and configure these certificates properly, to ensure that they are compatible with all Safetica-supported browsers. You can read more here.


We strongly advise you to follow this guide on a device which is not connected to network in order to ensure that the certificate files used or created in the process cannot be stolen and misused.

To follow and finish this guide, you will need to download and install OpenSSL (the full, non-Light version) from the following website:

During the installation, make sure that the OpenSSL DLLs are copied into the Windows system directory.

Certain certificate attributes will be needed to finish the steps below. Please clarify and prepare these beforehand so that you can copy/paste them into the commands where indicated.

The following certificate attributes will be required:

  • C = Country - Identifies your country; 2-character ISO country codes are used, you can find them online, e.g. here
  • O = Organization - Identifies your organization
  • OU = Organizational unit - Identifies the level of the certification authority

Two different parameters will be used in the instructions below:

  1. The company root certificate attributes, for example:
    /C=US/O=Company Ltd./OU=Company Root CA
  2. The company intermediate certificate attributes, for example:
    /C=US/O=Company Ltd./OU=Company Inter CA

Please prepare these two parameters and have them ready for copy/pasting into commands.

Finally, run your command line interface as administrator and navigate to C:\OpenSSL-Win32\bin (or your custom installation directory).

1. Prepare or create your company certificate

In case you have an existing company certificate which will be used for signing the certificates used on Safetica-protected endpoints, you will need the following files:

  • root.pem = The certificate in .PEM file format
  • root_key.pem = The key to the certificate in .PEM file format - the key will only be used for signing the intermediate certificate and will not be stored in it in any way

Please place these two files into the C:\OpenSSL-Win32\bin directory and continue with the next step.

In case you do not have a company certificate yet, you can use the following commands to create one:

  • openssl genpkey -algorithm RSA -out root_key.pem -pkeyopt rsa_keygen_bits:4096
  • openssl req -new -key root_key.pem -days 3650 -extensions v3_ca -batch -out root.csr -utf8 -subj "<company root certificate attributes>"
  • openssl x509 -req -sha256 -days 3650 -in root.csr -signkey root_key.pem -extfile cnf\openssl.cnf -extensions v3_ca -out root.pem
  • openssl x509 -outform der -in root.pem -out root.cer

2. Create a new certificate which will be used by the Safetica Management Service

In this step we create the certificate which will be used by Safetica. It will be signed by the certificate from previous step.

The certificate below will be generated with a recommended expiration time of 1 year, feel free to change the 365 parameter to adjust this time. Use the following commands:

  • openssl genpkey -algorithm RSA -out inter_key.pem -pkeyopt rsa_keygen_bits:4096
  • openssl req -new -key inter_key.pem -days 365 -extensions v3_ca -batch -out inter.csr -utf8 -subj "<company intermediate certificate attributes>"
  • openssl x509 -req -sha256 -days 365 -in inter.csr -CAkey root_key.pem -CA root.pem -CAcreateserial -extfile cnf\openssl.cnf -extensions v3_ca -out inter.pem
  • openssl x509 -outform der -in inter.pem -out inter.cer

3. Export the certificate into a format compatible with the Safetica Management Service

Finally, export the certificate into a compatible format using the following command:

  • openssl.exe pkcs12 -export -out safetica_cert.pfx -inkey inter_key.pem -in inter.pem -certfile root.pem

You will be prompted to enter a password (twice) - this password will be required when importing the certificate into your Safetica Management Server’s certificate store.

You can validate the exported certificate using the following command:

  • openssl pkcs12 -info -in safetica_cert.pfx

4. Import the certificate into the SMC

Log into the Safetica Management Console, head over to Profile -> Server settings -> Root Certificate. Here browse to your newly generated safetica_cert.pfx file, load it, enter the password chosen in step 2 and you’re all set.

The next time your Safetica clients connect to the Safetica Management Server, the clients will receive their individual signed endpoint certificates which will be used to sign all further network communication.

Tip: Set up alerts

You can get notified about possible problems or a nearing certificate expiry date.

In Safetica Management Console, go to Alerts, create a new rule or edit an existing one and in the second step, under Service Alerts, turn on Certificate alerts and finish the configuration guide.