OnSite generates its own self-signed SSL certificate for HTTPS. It is highly recommended that you regenerate the local OnSite-generated certificate with identifying data specific to your site, and that you at the same time initiate the process of applying for an official certificate from a certificate authority, such as VeriSign. Use of certificates from known CAs is recommended because many browsers only accept signed certificates from known CAs.The openssl.cnf file must exist for configuring security certificates. By default, openssl looks for the file in /usr/local/ssl, as shown in the following error message:OnSite administrators cannot write into the /usr directory, so we recommend putting the file into the /etc directory. The file can be downloaded from the Internet or copied from /etc/openssl.cnf. The file must be modified to suit your configuration.# Mostly used for generation of certificate requests. #################################################################The following table shows the tasks for obtaining a signed certificate and where the tasks are documented.
Regenerating the local self-signed certificate so it contains information specific to your organization. (This should usually be done only as a temporary measure while awaiting a signed certificate from a CA.) Obtaining a signed certificate from a CA in either of the two following ways:
• By setting up a local CA and generating your own certificate To Configure an SSL Certificate With Your Organization’s DataThis procedure generates a new self-signed certificate, replacing the default Cyclades information with information specific to your organization.Note: Like the default automatically-generated certificate, the certificate generated by this procedure is not CA-generated. It is recommended that you use the resulting self-signed certificate temporarily while waiting for a certificate signing request to be fulfilled by an official CA (as described in To Obtain an Signed Certificate From a Certificate Authority).
2.
[root@onsite /]# vi /etc/req_key
authorityKeyIdentifier = keyid:always,issuer:alwaysnsComment = "This is just a TEST certificate. Don't use it for real secure conections. Create your own certificate instead."
5.
To Obtain an Signed Certificate From a Certificate AuthorityBefore performing this procedure, generate a private key Also see http://pki-page.org for a list of official CAs, if needed.Make sure that the /etc/openssl.cnf file exists and has been configured properly. You can do one of the following:Note: How to generate the private key is outside the scope of this document. See OpenSSL documentation available on the Internet for more information.
2. Use the command line shown in the following screen example, replacing private_key.pem with the name of the file that contains the private key.Note: The command line in the screen example is broken into two lines because of space limitations. You can either enter the whole command on one line or include a backslash (\) as shown to tell the shell that the command continues on the following line.
[root@OnSite /]# openssl req -new -nodes -key \ private_key.pem -out cert.csr -config /etc/openssl.cnfThe /etc/openssl.cnf must be in /etc directory. The openssl utility prompts for the required information shown in the following table. Any other requested information is not required.
Country Name (2 letter code) [AU]: Refer to the ISO-3166 two-letter country code list if you do not know your country code. State or Province Name (full name) [Some Country]: The full name (not the postal abbreviation) of your country Organization Name (e.g., company) [Internet Widgits Ltd]: The organization for which you want to obtain the certificate The department or section, such as Research and Development. The fully qualified domain name where the certificate is to be installed To Enable HTTPS By Installing the X.509 Certificate and the Server Key Where the Web Server Can Find ItThis procedure requires a previously-generated private key and a signed certificate from a CA copied to the OnSite.The example shows the files copied into the OnSite’s /root directory. See To Obtain an Signed Certificate From a Certificate Authority, if needed. This procedure copies the private key and the certificate to a directory where the AcsWeb server has been configured to find it.
2. The following screen example uses cert.crt as the name of the certificate file and private_key.pem as the name of the private key file.
3. The following screen example uses cert.crt as the name of the certificate file. Substitute the correct name for the certificate file.
[root@OnSite /root]# cat cert.crt > /etc/CA/server.pem
4. Make sure the files where you store the server key and certificate are listed in/etc/config_files.
[root@OnSite /root]# daemon.sh restart WEB