The process described in this page will let an administrator replace the default DPOD Web Console and Admin Console certificate with one signed by the organization.
Before You Begin
You will need:
...
system encrypts the communication between end-users and the Web & Admin Consoles with self-signed certificates generated during the installation.
Use the following procedure to replace these certificates:
Make sure you have the new certificate and key files
...
Process
- Log
provided in
.pem
format. In a Cell Environment, perform all the steps on the cell manager only.
Log in to DPOD's
applianceserver using SSH.
Copy Copy the new certificate and key file files either to the current certificate directory on the DPOD appliance or to any other directory of your choice.
The current certificate directory is/etc/httpd/conf/certs
.Generate a new Diffie-Hellman (DH) Group for a more secured TLS session:
Code Block language bash theme RDark openssl dhparam -out /etc/httpd/conf/certs/dhparams.pem 2048
Append the new DH group parameters file to the new certificate
Code Block language bash cat /etc/httpd/conf/certs/dhparams.pem >> /etc/httpd/conf/certs/New_DPOD_Cer.cer
See an example of the certificate file below:
Code Block -----BEGIN CERTIFICATE----- MIIDDzCCAfegAwIBAgIJAIjhDQNZ4I2xMA0GCSqGSIb3DQEBCwUAMB4xHDAaBgNV BAMME09wZXJhdGlvbnNEYXNoYm9hcmQwHhcNMjEwMjIyMTE1ODQ1WhcNMzEwMjIw MTE1ODQ1WjAeMRwwGgYDVQQDDBNPcGVyYXRpb25zRGFzaGJvYXJkMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo88mvSbcYEGfd2dgKwzDmc/ua/FiFfNf +Bi/dw91FtZESBgwWDfgIihvXmEtO/DmJEfV55xJm0Fk49c5j6DXXtjztsC04o6K /0j/2Muztvxq2kckI+yv+jCrw6LxQN+wft03mHP/R6V/F74rEMc5kdx5X5HFA8Fh qFEH154DLp4MGsvbkU7CEjQw6VMj3M3m1ot/m0RkAgGIs7oH2E58VqJfhps2pqCC fXNVrPSG8pSykKt/ZL1oYr33DQD3zvn68aBpuChwNt8enPqytTJiaJuDD6y9KcRO tLbRi5jWU8HSkqztfxr3ohCGdb61tkwr9Vn969mtqwv8GXsxSyI4IwIDAQABo1Aw TjAdBgNVHQ4EFgQU55Uu4PnL9s1sIY/H25gABo23w8swHwYDVR0jBBgwFoAU55Uu 4PnL9s1sIY/H25gABo23w8swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC AQEAA1z1KHkxotKGlxNYdz9dKunpMKsRpE6hEzIvEI3ZU+1Is007AHelXBeRidN0 eHqVdcgOPn1EamEXjgqp7weXlPKyKlZGPdRD9hJR1/XvTuPBaJ/rI+NJkPQpfysY hWM32rMXuqQn6UUrPT9N7s+m4ArQmoQu3+ZipgGspQrSKW0xxq0d1n15RiC6UuJo ggKUYB4Gw3lOi6oKxX91NqhkVOzmaM7ok/Z+rOM6X6M2bC2KWN6IYjW688RiJE8j S8kVtQThGaGbexvDlbE6vDmFtwPi5KTroU/T+0vHJ9lwTV1YvWduQ5EsQNlnDcSS GZYv2emdIk3/WcuMV0mqkXjhsw== -----END CERTIFICATE----- -----BEGIN DH PARAMETERS----- MIIBCAKCAQEA+SfHDxWo0BRXc/BxfJHZVkHtk16RmBHHiKv5HDOuhl1raZIEbJ2H 8e5Q0GVCxe30F7Cr66Wfx4jaHVQqkZ+YxuWLqDlHWUYeGPwXXdMXQtuQpPmfSbaT fb+dJ1OT4T5qRttzRWqlu+ZeKeYkOFMO7XqMcDMtMx8cCh6smtkPkG69Tb8cm0l8 0JQuSpRiqYq94pLAf1ReY2jFIWMEtGz4dwSBi7QD+Ncs0rPFecQPPFmmGp1hTeNf NhJHSMvkQrEiX7RHZVZVZ8ovwC9IzID5m2UgmDQ8/TgiBA9WyngswBFSglNvP9dK pb23nP4rDQ7sL307eponbeL/BsNUE4BeqwIBAg== -----END DH PARAMETERS-----
Open the web server configuration file for editing:
Code Block language bash theme RDark vi /etc/httpd/conf/httpd.conf
Update the SSL Certificate lines:
Code Block language bash theme RDark SSLCertificateFile "the new certificate file path" SSLCertificateKeyFile "the new key file path"
SSLCertificateKeyFile needs to point to a key of a "PEM" format.
SSLCertificateFile needs to point to a certificate of a "
DERThePEM" format.
Note Note: The certificate / key
can notcannot be stored in a keystore (JKS, PKCS).
Restart the web server:
Code Block language bash theme RDark service httpd restart
Troubleshooting
Run syntax check on the httpd configuration file to make sure the certificate and key file
pathpaths are valid:
Code Block language bash theme RDarkapachectl -t
Valid output should be : "Syntax OK"
Wrong certificate path: "SSLCertificateFile: file '/etc/httpd/conf/certs/DPOD.cer' does not exist or is empty"Make sure the certificate and key file
formatformats are valid.
Check key file format:Code Block language bash theme RDarkopenssl rsa -in DPOD.key -check Valid output
MIIEowIBAAKCAQEA6ti29asWLikNHmici/2SjgkQWjfrzw6n2l2AQ2AxzVPGwnoy POHWTz5+0H+WYfy0NgRNEn1KvcBqJtk26cM4NUhgdi7qP5g11u/1nkGqdJiPK3Dx BdivYLnJEQF6gvK57nzUHkEHMLc93zTJql+O5dUgjKdkG/DnIIPl9gXUuW33lo5V jftvMtdSoFIJ4SVMtriSTmE8CGH49CqVu03Qp5jhfAmz83V07QcD6YpBe9MD/fdE hwY/Y+kH+A1mBchAGTDLLz7O8a2FYoMHgkycDuiZuIBiSzSaV6Tf/my8n4F8c+kq c2fFTqHZmW0H8dMRi2RNRgvQ6Kn8joN7Tev4xQIDAQABAoIBAQDoitrv/A8keiWx XKjWvanm1vbIPuNSzhJLWZZuIMxvomsHm3QvcPiC00FDN3MzZ8UST8P5cPMXXXY/ LYsAgfwgVqCdperyOcfmIwm1QRSGC6KIw3cF8QAH6S89lZc4Hx0ZF6X6py11gZzU bjLab3DSB+4JGJ86Q5q5SaHlsPRo/qMWK934XvWpq/DejXFgEbVvGdUczafj7i8b 5gwKeVjJnEiXYH7IeayOJv1o9awlWRy0c/eAZ6nosAfQU3QFnpGKwNRlwbC2S6z2 HAaIF9wZt3qaTQV9gw4SwkO5RJTgCAMsC1EFgzby8dCsoK4pHjTeTTHhoHNCNs26 izolmLYBAoGBAPs5b+i4vfX8VGaFnaCgDJtS4/xnakHrwJtwGFS4EeMdBh/pDmsP 3rU4W6safuN3YGayt05Luu+5y1iZnioWv7ZsYFKcih5paFcVPf8ysUfdL7tAtfCe DZLxVpTZwct4UJ5ZPsmTBDzQDWv4OGAuyE+noCk4kXrkq1kDOTG6DHFBAoGBAO9P k4JQ4JpGzCk7gl3S604P7Oaq34KRP7+sJZmW2Ll/GOfLKxqmqX+yUej0lm+rssou QJHND7PdC3ctKGPsPvT8nDZeFqW5LXGEC2kqYZUvIMi/isIsfdN8TR21MRNkcZc2 1IV/ZhBhMfkaiZPxiwGG2Q5SKD0/Nxcr6iXJSqKFAoGAXZJFJm85AdgcL5tw3JUA XRIArNBv+WGv+bVEurlcoDT9RQFvR10/3EvDiPVzcZHTLC1ArT7zv7p6DOQazx5u BapULjD0GOO140mcL+NXuKaf0qUFnzufXq3ZS9PXpMuJa5FeG4JQv73WYfKwPNLv 9QtAUlophZaKY7sZoHXlkIECgYAWdeqLVZnvAOwShqJSugQZvIbok2sM7yMDk12o D69hoZstzjTKeI/6CzuC2MnxyzSpozOuO4fYwstbsSJUVo0GI1tqAuSvQzUPrWwA v9iOzvCNxuR4GwLoQYdfXW0wu8GphpzltrJWoTi2f5YgC5CXYReoL2/VZ8R86UM9 rqnRnQKBgAvWFGBFfOzdGlMET+Ym5HyvzK/at4e2b9TP8qAjMqGpEpVv+pU8c/rt Xz1eZNk9ptBIJiPlYaNPNM/75tQ1AMNlg0Sv9RzowsG8EJr5oSIq3xpulLhTFb8G 1gEARgpDLMdcsHVwjdW7lCCG+cA8ayyo0BVk/WONnUNCGQAMouSn: RSA key ok writing RSA key -----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAo88mvSbcYEGfd2dgKwzDmc/ua/FiFfNf+Bi/dw91FtZESBgw WDfgIihvXmEtO/DmJEfV55xJm0Fk49c5j6DXXtjztsC04o6K/0j/2Muztvxq2kck I+yv+jCrw6LxQN+wft03mHP/R6V/F74rEMc5kdx5X5HFA8FhqFEH154DLp4MGsvb kU7CEjQw6VMj3M3m1ot/m0RkAgGIs7oH2E58VqJfhps2pqCCfXNVrPSG8pSykKt/ ZL1oYr33DQD3zvn68aBpuChwNt8enPqytTJiaJuDD6y9KcROtLbRi5jWU8HSkqzt fxr3ohCGdb61tkwr9Vn969mtqwv8GXsxSyI4IwIDAQABAoIBAErv8Dvl9DkArE/2 dbMcArtxuROeeI2sKcIYqDZyVtFcsh39GtiwrxNRRil58TSTruT4C+4JvE6PKvVk N0vye7RDMbLwE4/1P7crkQd/oLZcYRF8LBdXJuYgr+Muvok8C8TttIpEvorrNeoJ sC/bxAVrRAcpa2SdaeyTLTBBdBk1roTbTkqeR6DK6yaOg9eJfFi9twjqxB2eAJlk TsXf/ltviuczPFOHNzl3jsuY4oJ2G+cAKqhaDK/Uz1PC61onpJToWDRqliE25pEa /eE6mLazoipbTGNGwGtuK1wn8p8wl9eTg6V4uYs4sUts0z65gEUn5yH9NadKqRH4 SIUYrBkCgYEA2ZDo1mCQVvmFdmkhR+lqIewo26T+gFujLrrOMKuGI4QVWrbHF9Gl 8nEa76FZWrkkXosOKBstdZkTy7A2Iod47sfb5KbPc1oKmZ3B4uKIi+lJ5IwuVhz2 bxlGjZnaZCJRPMltweT72X+Bk8g7aDQtvO5cni82BDlGeaQV5VySJ3cCgYEAwL8r h64a0F+xz724IKLMXHnt+BJd/myRnb/f7XWg6+7KEWIP2C0Gj82lrjak5cBNi/vh PnPHxAw2IGTTPij4N2g82vYEUktfWCA1+iFnVIJw6AG1n/BRWNjjByMcv/RKwhnK J0xzMtVXLVIjiPnVjjsVR6z1kYx6X8cBhpksd7UCgYEAokuu5Pxzr+3C2WnjIbnF Kjj44aBbGXVCbYF8fmH1VlkZdOoT6njByfEFnuxFs5+Yuc4RaWmcp7ThR3jTaT6V v8nnBtJIvkvUzHMaRx2lrnkAXjUT+7jvPEEmmErE1x2ibC32akVeegjbqFodtsX1 uJI3FOky6kOvht4YV1iOzlECgYBh47Uz31R252Li4rOUv5mSjcox5wIdqP37Y+tS Kh9kM44kbe0mGRfwCL1QUShGFvhLU8z9bsfR5XHH2ez+8Me/PA1MFw3yzZzKoPFI 65YS8XxuGBAp/l8SBHSot0hupJ8jHP3yH32SH4960PCDLH8tEQyprkm5deLgqa04 sqpG0QKBgCosnE6SFY8rBakV9E5YM7ug5sGZ/jBGXtxCmRBB0VpiGQIdiS7DyAlC sGX1E9E14G4itq8juxQo1VjqpC6AgbiVAlLpL1NAjlWstYC0coJrZzcH0dxTaEhs DCxCYclWOYBAiSqf/PjR4nwzYjw2wcvXm7W0n+ZcZWxD9qjLkgjT -----END RSA PRIVATE KEY-----
:Invalid Output:
unable to load Private Key 139695916947264:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting: ANY PRIVATE KEY
Check certificate file format:Code Block language bash theme RDark
-textopenssl x509 -inform PEM -in DPOD.cer
-nooutValid output
Certificate: Data: Version: 3 (0x2) Serial Number: ab:36:a9:5c:d4:1d:c3:aa Signature Algorithm: sha256WithRSAEncryption Issuer: CN = OperationsDashboard Validity Not Before: May 15 09:09:18 2017 GMT Not After : May 13 09:09:18 2027 GMT Subject: CN = OperationsDashboard Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ea:d8:b6:f5:ab:16:2e:29:0d:1e:68:9c:8b:fd: 92:8e:09:10:5a:37:eb:cf:0e:a7:da:5d:80:43:60: 31:cd:53:c6:c2:7a:32:3c:e1:d6:4f:3e:7e:d0:7f: 96:61:fc:b4:36:04:4d:12:7d:4a:bd:c0:6a:26:d9: 36:e9:c3:38:35:48:60:76:2e:ea:3f:98:35:d6:ef: f5:9e:41:aa:74:98:8f:2b:70:f1:05:d8:af:60:b9: c9:11:01:7a:82:f2:b9:ee:7c:d4:1e:41:07:30:b7: 3d:df:34:c9:aa:5f:8e:e5:d5:20:8c:a7:64:1b:f0: e7:20:83:e5:f6:05:d4:b9:6d:f7:96:8e:55:8d:fb: 6f:32:d7:52:a0:52:09:e1:25:4c:b6:b8:92:4e:61: 3c:08:61:f8:f4:2a:95:bb:4d:d0:a7:98:e1:7c:09: b3:f3:75:74:ed:07:03:e9:8a:41:7b:d3:03:fd:f7: 44:87:06:3f:63:e9:07:f8:0d:66:05:c8:40:19:30: cb:2f:3e:ce:f1:ad:85:62:83:07:82:4c:9c:0e:e8: 99:b8:80:62:4b:34:9a:57:a4:df:fe:6c:bc:9f:81: 7c:73:e9:2a:73:67:c5:4e:a1:d9:99:6d:07:f1:d3: 11:8b:64:4d:46:0b:d0:e8:a9:fc:8e:83:7b:4d:eb: f8:c5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: E7:09:B0:A0:66:32:5F:BD:BF:8E:9E:76:07:02:AB:58:FD:E3:CD:66 X509v3 Authority Key Identifier: keyid:E7:09:B0:A0:66:32:5F:BD:BF:8E:9E:76:07:02:AB:58:FD:E3:CD:66 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 3a:f3:8b:41:31:77:93:c9:28:85:f0:81:31:5c:fb:19:ad:05: 26:81:98:a7:28:e5:6a:35:04:d3:e5:72:fa:f7:3f:50:42:c1: c6:32:da:f0:49:6c:31:b4:c3:5a:9c:b4:64:66:67:2f:e3:87: fe:cc:2c:2f:3b:89:e0:be:6c:c5:be:0a:be:50:e2:cd:40:2f: 90:37:91:8d:4c:48:f6:98:88:53:bc:03:f4:61:70:63:07:5f: 44:dd:8a:8c:9b:d5:5c:d2:cf:b7:35:8b:3d:3a:e2:87:28:67: 40:dc:d6:c2:63:b0:94:29:be:ce:46:28:c0:c5:20:d4:09:a3: f7:dc:7d:d1:18:8d:cc:a8:1c:af:dc:6d:c9:47:c5:aa:23:b8: 74:92:77:ab:76:5c:f8:91:8d:f0:2c:3b:ba:35:c7:1f:d6:91: 34:5d:bf:e6:a1:75:bb:4f:56:c8:b1:b8:2d:84:1c:5a:73:24: e6:9a:dd:7c:06:c3:70:49:2f:22:e4:50:f6:ec:ae:a4:92:20: 07:cd:07:09:c8:81:4f:a2:f9:f7:55:da:72:90:00:a6:09:4b: 7d:b5:58:53:4a:d6:da:08:9e:62:b1:b1:c4:56:34:e1:98:a5: 14:47:4b:1e:60:5a:d5:53:11:d4:c2:c7:84:fc:f6:2d:41:06: 04:e4:e6:ba Invalid Output ::
-----BEGIN CERTIFICATE----- MIIDDzCCAfegAwIBAgIJAIjhDQNZ4I2xMA0GCSqGSIb3DQEBCwUAMB4xHDAaBgNV BAMME09wZXJhdGlvbnNEYXNoYm9hcmQwHhcNMjEwMjIyMTE1ODQ1WhcNMzEwMjIw MTE1ODQ1WjAeMRwwGgYDVQQDDBNPcGVyYXRpb25zRGFzaGJvYXJkMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo88mvSbcYEGfd2dgKwzDmc/ua/FiFfNf +Bi/dw91FtZESBgwWDfgIihvXmEtO/DmJEfV55xJm0Fk49c5j6DXXtjztsC04o6K /0j/2Muztvxq2kckI+yv+jCrw6LxQN+wft03mHP/R6V/F74rEMc5kdx5X5HFA8Fh qFEH154DLp4MGsvbkU7CEjQw6VMj3M3m1ot/m0RkAgGIs7oH2E58VqJfhps2pqCC fXNVrPSG8pSykKt/ZL1oYr33DQD3zvn68aBpuChwNt8enPqytTJiaJuDD6y9KcRO tLbRi5jWU8HSkqztfxr3ohCGdb61tkwr9Vn969mtqwv8GXsxSyI4IwIDAQABo1Aw TjAdBgNVHQ4EFgQU55Uu4PnL9s1sIY/H25gABo23w8swHwYDVR0jBBgwFoAU55Uu 4PnL9s1sIY/H25gABo23w8swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC AQEAA1z1KHkxotKGlxNYdz9dKunpMKsRpE6hEzIvEI3ZU+1Is007AHelXBeRidN0 eHqVdcgOPn1EamEXjgqp7weXlPKyKlZGPdRD9hJR1/XvTuPBaJ/rI+NJkPQpfysY hWM32rMXuqQn6UUrPT9N7s+m4ArQmoQu3+ZipgGspQrSKW0xxq0d1n15RiC6UuJo ggKUYB4Gw3lOi6oKxX91NqhkVOzmaM7ok/Z+rOM6X6M2bC2KWN6IYjW688RiJE8j S8kVtQThGaGbexvDlbE6vDmFtwPi5KTroU/T+0vHJ9lwTV1YvWduQ5EsQNlnDcSS GZYv2emdIk3/WcuMV0mqkXjhsw== -----END CERTIFICATE----- Invalid Output: unable to load certificate 140583261931328:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting: TRUSTED CERTIFICATE