...

Use the following procedure to replace these certificates:

1. Make sure you have the custom certificate and key files provided in .pem format. If the key file is encrypted, make sure to also have the key passphrase in a .txt file.
   Use the following file names:

   Code Block
   custom_cer.pem custom_key.pem custom_key_passphrase.txt (optional)

2. In a Cell Environment, perform all the steps on the cell manager as well as the cell members, to secure both the Web Console (available on the cell manager only) and the Admin Console (available on the cell manager as well as on the cell members).

3. Log in to DPOD's server using SSH.

4. Copy the custom certificate file, the custom key file and optionally the custom key passphrase file to /etc/httpd/conf/certs.

5. Generate a new Diffie-Hellman (DH) Group for a more secured TLS session and append the new DH group parameters file to the custom certificate:

   Code Block
   language bash
   openssl dhparam -out /etc/httpd/conf/certs/custom_dhparams.pem 2048 cat /etc/httpd/conf/certs/custom_dhparams.pem >> /etc/httpd/conf/certs/custom_cer.pem

6. Execute the following commands:

   Code Block
   language bash
   sed -i 's#^SSLCertificateFile .*#SSLCertificateFile "/etc/httpd/conf/certs/custom_cer.pem"#g' /etc/httpd/conf/httpd.conf sed -i 's#^SSLCertificateKeyFile .*#SSLCertificateKeyFile "/etc/httpd/conf/certs/custom_key.pem"#g' /etc/httpd/conf/httpd.conf

7. If the key file is encrypted, create a script named custom_key_passphrase.sh:

   Code Block
   vi /etc/httpd/conf/certs/custom_key_passphrase.sh

   with the following content:

   Code Block
   #!/bin/sh cat /etc/httpd/conf/certs/custom_key_passphrase.txt

   and execute the following commands:

   Code Block
   chmod +x /etc/httpd/conf/certs/custom_key_passphrase.sh sed -i "/^SSLPassPhraseDialog /d" /etc/httpd/conf/httpd.conf sed -i '/^SSLCertificateKeyFile /a SSLPassPhraseDialog exec:/etc/httpd/conf/certs/custom_key_passphrase.sh' /etc/httpd/conf/httpd.conf

8. Run a syntax check on the httpd configuration file to make sure the configuration is valid:

   Code Block
   language bash
   apachectl -t

   Valid output:

   Code Block
   language bash
   Syntax OK

   Invalid output:

   Code Block
   AH00526: Syntax error on line 541 of /etc/httpd/conf/httpd.conf: SSLCertificateFile: file '/etc/httpd/conf/certs/custom_cer.pem' does not exist or is empty

9. Restart the web server:

   Code Block
   language bash
   service httpd restart

Troubleshooting

1. Make sure the certificate file is valid:

   Code Block
   language bash
   openssl x509 -inform PEM -in /etc/httpd/conf/certs/custom_cer.pem

   Valid output:

   Code Block
   language bash
   -----BEGIN CERTIFICATE----- MIIDDzCCAfegAwIBAgIJAIjhDQNZ4I2xMA0GCSqGSIb3DQEBCwUAMB4xHDAaBgNV BAMME09wZXJhdGlvbnNEYXNoYm9hcmQwHhcNMjEwMjIyMTE1ODQ1WhcNMzEwMjIw ... S8kVtQThGaGbexvDlbE6vDmFtwPi5KTroU/T+0vHJ9lwTV1YvWduQ5EsQNlnDcSS GZYv2emdIk3/WcuMV0mqkXjhsw== -----END CERTIFICATE-----

   Invalid output:

   Code Block
   language bash
   unable to load certificate 140583261931328:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting: TRUSTED CERTIFICATE

2. Make sure the key file is valid:

   Code Block
   language bash
   openssl rsa -in /etc/httpd/conf/certs/custom_key.pem -check

   Valid output:

   Code Block
   language bash
   RSA key ok writing RSA key -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAo88mvSbcYEGfd2dgKwzDmc/ua/FiFfNf+Bi/dw91FtZESBgw WDfgIihvXmEtO/DmJEfV55xJm0Fk49c5j6DXXtjztsC04o6K/0j/2Muztvxq2kck ... sGX1E9E14G4itq8juxQo1VjqpC6AgbiVAlLpL1NAjlWstYC0coJrZzcH0dxTaEhs DCxCYclWOYBAiSqf/PjR4nwzYjw2wcvXm7W0n+ZcZWxD9qjLkgjT -----END RSA PRIVATE KEY-----

   Invalid output:

   Code Block
   language bash
   unable to load Private Key 139695916947264:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting: ANY PRIVATE KEY