Miscellaneous Procedures > Administering Security Certificates for HTTPS and SSH on the OnSite > Configuring Security Certificates

Configuring Security Certificates
OnSite generates its own self-signed SSL certificate for HTTPS. It is highly recommended that you regenerate the local OnSite-generated certificate with identifying data specific to your site, and that you at the same time initiate the process of applying for an official certificate from a certificate authority, such as VeriSign. Use of certificates from known CAs is recommended because many browsers only accept signed certificates from known CAs.
The openssl.cnf file must exist for configuring security certificates. By default, openssl looks for the file in /usr/local/ssl, as shown in the following error message:
OnSite administrators cannot write into the /usr directory, so we recommend putting the file into the /etc directory. The file can be downloaded from the Internet or copied from /etc/openssl.cnf. The file must be modified to suit your configuration.
#################################################################
# openssl example configuration file.
# Mostly used for generation of certificate requests. #################################################################
[ ca ]
default_ca = exampleca # The default ca section
[ exampleca ]
 
dir = . # Where everything is kept
certificate = $dir/cacert.pem # The CA certificate
database = $dir/index.txt # database index file.
new_certs_dir = $dir/certs # default place for new certs.
private_key = $dir/private/cakey.pem # The private key
serial = $dir/serial # The current serial number
default_crl_days = 30 # how long before next CRL
default_days = 365 # how long to certify for
default_md = md5 # which md to use.
policy = exampleca_policy
x509_extensions = certificate_extensions # The extensions to add to the cert
 
[ exampleca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
organizationName = supplied
organizationalUnitName = optional
 
[ certificate_extensions ]
basicConstraints = CA:false
 
[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = md5
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions # Extensions to add to the self
# signed cert
 
[ root_ca_distinguished_name ]
commonName = Example CA
stateOrProvinceName = mystate
countryName = US
emailAddress = myname
organizationName = Cyclades
 
[ root_ca_extensions ]
basicConstraints = CA:TRUE
#################################################################
/etc/openssl.cnf
The following table shows the tasks for obtaining a signed certificate and where the tasks are documented.
Regenerating the local self-signed certificate so it contains information specific to your organization. (This should usually be done only as a temporary measure while awaiting a signed certificate from a CA.)
To Configure an SSL Certificate With Your Organization’s Data
This procedure generates a new self-signed certificate, replacing the default Cyclades information with information specific to your organization.
Note: Like the default automatically-generated certificate, the certificate generated by this procedure is not CA-generated. It is recommended that you use the resulting self-signed certificate temporarily while waiting for a certificate signing request to be fulfilled by an official CA (as described in To Obtain an Signed Certificate From a Certificate Authority).
1.
2.
Open the /etc/req_key file for editing.
[root@onsite /]# vi /etc/req_key
3.
 
 
authorityKeyIdentifier = keyid:always,issuer:always
nsComment = "This is just a TEST certificate. Don't use it for real secure conections. Create your own certificate instead."
4.
5.
6.
7.
To Obtain an Signed Certificate From a Certificate Authority
Before performing this procedure, generate a private key Also see http://pki-page.org for a list of official CAs, if needed.
Make sure that the /etc/openssl.cnf file exists and has been configured properly. You can do one of the following:
Note: How to generate the private key is outside the scope of this document. See OpenSSL documentation available on the Internet for more information.
1.
2.
Use openssl with the req parameter to create a CSR (certificate signing request).
Use the command line shown in the following screen example, replacing private_key.pem with the name of the file that contains the private key.
Note: The command line in the screen example is broken into two lines because of space limitations. You can either enter the whole command on one line or include a backslash (\) as shown to tell the shell that the command continues on the following line.
[root@OnSite /]# openssl req -new -nodes -key \ private_key.pem -out cert.csr -config /etc/openssl.cnf
The /etc/openssl.cnf must be in /etc directory. The openssl utility prompts for the required information shown in the following table. Any other requested information is not required.
Country Name (2 letter code) [AU]: Refer to the ISO-3166 two-letter country code list if you do not know your country code.
The fully qualified domain name where the certificate is to be installed
Note: The generated request includes the public key.
3.
To Enable HTTPS By Installing the X.509 Certificate and the Server Key Where the Web Server Can Find It
This procedure requires a previously-generated private key and a signed certificate from a CA copied to the OnSite.The example shows the files copied into the OnSite’s /root directory. See To Obtain an Signed Certificate From a Certificate Authority, if needed. This procedure copies the private key and the certificate to a directory where the AcsWeb server has been configured to find it.
1.
2.
The following screen example uses cert.crt as the name of the certificate file and private_key.pem as the name of the private key file.
[root@OnSite /root]# cat cert.crt private_key.pem > \
3.
The following screen example uses cert.crt as the name of the certificate file. Substitute the correct name for the certificate file.
[root@OnSite /root]# cat cert.crt > /etc/CA/server.pem
4.
Note: By default /etc/CA/server.pem and /etc/CSA/cert.pem are listed in/etc/config_files.
5.
[root@OnSite /root]# daemon.sh restart WEB

Miscellaneous Procedures > Administering Security Certificates for HTTPS and SSH on the OnSite > Configuring Security Certificates