CloudLink: Generate custom CA signed web SSL certs that include Digital Signature in Key Usage

Summary: This article explains how to use OpenSSL to generate custom CA-signed SSL certificates with Digital Signature in Key Usage and upload them to a CloudLink server. Applicable for CloudLink Version Lower than 8.x ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Pre-Requisite:
To generate a Certificate, it is mandatory to generate a Certificate Signing Request (CSR). There are multiple tools to generate CSR. Here, we will use OpenSSL, an open-source command line tool mostly pre-installed on Linux systems. It is commonly used to generate private keys, create CSR, install SSL/TLS certificates, and identify certificate information.

We usually have three ways of generating a certificate.
  1. Generate a Self-Signing certificate digitally signed.
  2. Generate a CSR using OpenSSL and share CSR with CA team (Customer) to sign it.
  3. Ask customer to generate CSR using their CA and digitally sign certificate.
Now lets look at three ways of generating a certificate in detail:
 
CSR Generation Ways Advantage Disadvantage
Self-Signing certificate
  • It is created quickly and easily issued.
  • There are zero dependencies on others for the issuance of certificates, which saves time for testing purposes
  • Since self-signed certificates aren’t issued by a trusted CA, they will trigger security warnings in web browsers, potentially causing trust issues for users.
  • Person generating certificate needs to store key safely if needed.
CSR using OpenSSL and CA signing
  • Certificate is issued by a trusted CA, hence there will be no security warnings in web browsers.
  • PRIVATE KEY used to generate CSR using OpenSSL needs to be saved securely by the team generating CSR.
  • There are dependencies on other for the issuance of certificate.
CSR and Signing using CA server
  • Certificate is issued by a trusted CA, hence there will be no security warnings in web browsers.
  • PRIVATE KEY will be saved on the CA server
  • Dependencies on others for the issuance of certificates, hence implementing this will take time


For generating a Self-Signing certificate digitally signed using OpenSSL
  1. On a Linux server with OpenSSL installed create a file called template.cfg and paste the info within the box below.
            On the entries that end with a * replace with relevant info. 
[req]
default_bits           = 2048
distinguished_name     = req_distinguished_name
req_extensions         = v3_req

[req_distinguished_name]
C =Country(2 letter code)
ST =State
L =Locality(city)
O =Organization
OU =OrgUnit
CN =cloudlink716*

C_default =US*
ST_default =utah*
L_default =salt lake city*
O_default =dell*
OU_default =dell*
CN_default =cloudlink716*

[v3_req]
subjectAltName   = @alt_names
keyUsage         = keyEncipherment, digitalSignature
extendedKeyUsage = serverAuth, clientAuth

[alt_names]
IP      = 192.168.50.150*
DNS.1   = cloudlink716*
 NOTE: Some customers do not prefer having IP address in [alt_names], so if required you may remove IP and save this file as template.cfg and then use below OpenSSL command to generate CSR. If IP address is removed from alt_names then trying to access application using IP will continue to give certificate error but trying to access application using FQDN will work without giving certificate error.
  1. Use below command to generate Self-Signing certificate digitally signed using OpenSSL with expiry date of 1 year (modify if required):
openssl req -newkey 2048 -keyout server.key -config template.cfg  -x509 -days 365 -out server.crt -extensions v3_req -nodes
  1. Once above command has been executed successfully, copy server.crt and server.key file from server to Laptop/VDI/Desktop.
  2. Now open CloudLink GUI and navigate to SERVER > TLS and click upload.
  3. Select certificate format as PEM and upload server.crt in certificate field and server.key in Key field.
  4. Click Preview to verify and if everything looks good click on upload.
  5. It will take few seconds to apply, once it is applied you can confirm on same page as end date and other details of certificate would have changed. Also to double confirm you may navigate to MONITORING > ACTIONS and notice that Apply WEB certificate action status will show as Succeeded.
  6. Now you can try accessing CloudLink from a newer version of browser. No reboot is required for this implementation.
  7. Once implementation is successful delete all copies of certificate or key file from Laptop/VDI/Desktop
Generate a CSR using OpenSSL and share CSR with CA team (Customer) to sign it.
  1. Follow similar steps 1 to 3 from above section "For generating a Self-Signing certificate digitally signed using OpenSSL"
  2. Now share server.crt file with Customer Certificate (CA) team and request them to sign certificate. Once certificate is signed download (from CA portal) it as a .PEM (OpenSSL) file without Root chain so that we have a single file once download is completed.
  3. Now open CloudLink GUI and navigate to SERVER > TLS and click upload.
  4. Select certificate format as PEM and upload .PEM that was provided by CA in certificate field and server.key in Key field which you have used while generating CSR. 
(NOTE: You can also choose to share server.key file with CA on a secured channel so that they can save on there tool and use that key to sign it.)
  1. Click Preview to verify and if everything looks good click on upload.
  2. It will take few seconds to apply. Once it is applied you can confirm on same page as end date and other details of certificate would have changed. Also to double confirm you may navigate to MONITORING > ACTIONS and notice that Apply WEB certificate action status will be marked as Succeeded.
  3. Now you can try accessing CloudLink from a newer version of browser. No reboot is required for this implementation.
  4. Once implementation is successful delete all copies of certificate or key file from Laptop/VDI/Desktop.
Ask customer to generate CSR using there CA and digitally sign certificate
  1. Request Customer Certificate (CA) team to generate CSR for CloudLink server.
  2. For this you will have to provide Server Name, IP, C =Country(2 letter code), ST =State, L =Locality(city), O =Organization, OU =OrgUnit to CA team so that they can generate required certificate.
  3. Once CA team has signed that certificate, download (from CA portal) it in PKCS12 format as a single file. Downloading PKCS12 format will require password before downloading so keep that password handy. This certificate should have .pfx as an extension
  4. Once certificate is downloaded, open CloudLink GUI and navigate to SERVER > TLS and click upload.
  5. Select certificate format as PKCS12 and upload .pfx file that was provided by CA in certificate field and enter the password which was used in step 3 to download the certificate.
  6. Click Preview to verify and if everything looks good click on upload.
  7. It will take few seconds to apply. Once it is applied you can confirm on same page as end date and other details of certificate would have changed. Also to double confirm you may navigate to MONITORING > ACTIONS and notice that Apply WEB certificate action status will be marked as Succeeded.
  8. Now you can try accessing CloudLink from a newer version of browser. No reboot is required for this implementation.
  9. Once implementation is successful delete all copies of certificate or key file from Laptop/VDI/Desktop.

Additional Information

Ref: https://www.dell.com/support/kbdoc/en-us/000219861/error-err-ssl-key-usage-incompatible-when-opening-cloudlink-webgui

Affected Products

CloudLink
Article Properties
Article Number: 000223597
Article Type: How To
Last Modified: 05 مارس 2026
Version:  2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.