Configuring Safetica to sign its network communication with a company’s root digital certificate
Posted by Ladislav Mlčák, Last modified by Michael Skoupý on 02 July 2019 08:29 AM
To learn more about how certificates work in Safetica, refer to article Overview of digital certificate use in Safetica. This guide explains how you can prepare and configure these certificates properly, to ensure that they are compatible with all Safetica-supported browsers. You can read more here.
We strongly advise you to follow this guide on a device which is not connected to network in order to ensure that the certificate files used or created in the process cannot be stolen and misused.
To follow and finish this guide, you will need to download and install OpenSSL (the full, non-Light version) from the following website:
During the installation, make sure that the OpenSSL DLLs are copied into the Windows system directory.
Certain certificate attributes will be needed to finish the steps below. Please clarify and prepare these beforehand so that you can copy/paste them into the commands where indicated.
The following certificate attributes will be required:
Two different parameters will be used in the instructions below:
Please prepare these two parameters and have them ready for copy/pasting into commands.
Finally, run your command line interface as administrator and navigate to
1. Prepare or create your company certificate
In case you have an existing company certificate which will be used for signing the certificates used on Safetica-protected endpoints, you will need the following files:
Please place these two files into the
In case you do not have a company certificate yet, you can use the following commands to create one:
2. Create a new certificate which will be used by the Safetica Management Service
In this step we create the certificate which will be used by Safetica. It will be signed by the certificate from previous step.
The certificate below will be generated with a recommended expiration time of 1 year, feel free to change the 365 parameter to adjust this time. Use the following commands:
3. Export the certificate into a format compatible with the Safetica Management Service
Finally, export the certificate into a compatible format using the following command:
You will be prompted to enter a password (twice) - this password will be required when importing the certificate into your Safetica Management Server’s certificate store.
You can validate the exported certificate using the following command:
4. Import the certificate into the SMC
Log into the Safetica Management Console, head over to Profile, Server settings, Root Certificate. Here browse to your newly generated
The next time your Safetica clients connect to the Safetica Management Server, the clients will receive their individual signed endpoint certificates which will be used to sign all further network communication.
Tip: Set up alerts
You can get notified about possible problems or a nearing certificate expiry date.
In Safetica Managemnt Console, go to Alerts, create a new rule or edit an existing one and in the second step, under Service Alerts, turn on Certificate alerts and finish the configuration guide.