Setting up secure administration over SSL/TLS on any Barracuda Networks product is done on the Advanced > SSL or Advanced > Secure Administration page of the Barracuda's Web user interface. While you can specify the Default (Barracuda Networks) certificate for your SSL/TLS connections, this will prompt users and administrators with a domain mismatch error because the certificate's domain is barracudanetworks.com (and your Barracuda Networks product's hostname and domain, configured near the bottom of the Basic > IP Configuration page, will not match barracudanetworks.com when configured correctly).
To generate a CSR (Certificate Signing Request) from your Barracuda Networks product, navigate to the Advanced > SSL or Advanced > Secure Administration page and follow these steps:
1.Fill in all of your organization's information on the Certificate Generation section of the page. The Common Name field should match your Barracuda unit's hostname (configured near the bottom of the Basic > IP Configuration page) exactly.
2.Click the Save Changes button.
3.Click the Download button next to Download Certificate Signing Request (CSR) to download a copy of the CSR the Barracuda Networks has now generated.
Send the CSR to a Certificate Authority (like VeriSign, for example) to have an SSL/TLS certificate generated and signed based on the CSR you have submitted. Ask for an X.509 (or Apache) certificate in PEM format. Once you have received the certificate from the Certificate Authority, you should confirm it is in the right format so that it may be uploaded to the Barracuda unit.
To do this, open the file with Notepad or some other simple text editor (not Microsoft Word). You should see the certificate between the Begin Certificate and End Certificate markers, like this:
-----BEGIN CERTIFICATE-----
(the signed certificate, several lines of indecipherable text with no spaces)
-----END CERTIFICATE-----
Once you have verified that it looks correct, upload it to the Barracuda unit using the Upload Signed Certificate option near the bottom of the the Advanced > SSL or Advanced > Secure Administration page of the Barracuda's web interface. To begin using the certificate you've uploaded, select Trusted (Signed by a trusted CA) as the Certificate Type after uploading the certificate, and click Save Changes.
Additional Notes:
If you are unable to upload your signed certificate to your Barracuda product, you may need to include one or more intermediate certificates in the file you are uploading. If needed, these should be provided to you by the organization that signed your certificate. If you have your main certificate alongside one or more intermediate certificates, you should use Notepad or some other simple text editor (not Microsoft Word) to combine them into a single file (copying and pasting the intermediate certificate(s) into the main certificate file should be fine). The order of the certificates doesn't matter, and the file should look like this when you're finished:
-----BEGIN CERTIFICATE-----
(the signed certificate, several lines of indecipherable text with no spaces)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(the intermediate certificate, several lines of indecipherable text with no spaces)
-----END CERTIFICATE-----
Once this is done, save the new, combined certificate file and upload to the Barracuda using the Upload Signed Certificate option as described above.
SSL CERTIFICATE INSTALLATION ON BARRACUDA
1. With a text editor (such as wordpad), copy and paste the entire body of each certificate into one text file in the following order:
1.The Primary Certificate - your_domain_name.crt
2.The Intermediate Certificate.
Make sure to include the beginning and end tags on each certificate. The result should look like this:
Save the combined file as your_domain_name.pem. Your .pem file should be ready for use.
2. Login to your Barracuda Spam Firewall. Go to the ADVANCED->SSL page where you originally got your CSR file. There should be an "Upload Signed Certificate" button which you can use to upload the your_domain_name.pem file.
3. To begin using the certificate you've uploaded, select Trusted (Signed by a trusted CA) as the Certificate Type after uploading the certificate, and click Save Changes. You may need to restart web services on your Barracuda for the new certificate to take effect.
More information about installing an SSL certificate on your Barracuda can be found directly from Barracuda Networks.
Please note - Some of our customers have reported difficulty installing a wildcard certificate to Barracuda Spam Firewalls. This isn't a problem specific to DigiCert wildcards. We hear that the barracuda will only issue a CSR for the name you give it, so if you want a wildcard certificate you have to name your barracuda *.yourdomain.com and that may not work with clustering. If you have a wildcard certificate, please call us, as we have a workaround. More information about using wildcards with a Barracuda device can be found from Barracuda Networks.
Also - The Barracuda will expect to receive a certificate that EXACTLY matches all fields in the CSR it previously created. This detail can be a source of confusion and frustration if you're unaware of it. DigiCert can only issue your SSL Certificate according to what we are able to verify about your company. For example if you request a certificate with "O=TheCompany" and your company name is really "O=TheCompany, Inc." then we have to issue your certificate with "O=TheCompany, Inc." and importing that certificate will fail. In cases where the CSR and the issued certificate do not exactly match, you can adjust the details in the Barracuda to exactly match your certificate and then download a new CSR from the barracuda and use the new CSR to reissue your certificate by logging into your DigiCert account, clicking on Web-PKI manager, then re-issue your certificate.
