The process described in this page will let an administrator replace the default DPOD Web Console and Admin Console certificate with one signed by the organization.
Before You Begin
You will need:
- Access to the DPOD appliance
- The new certificate and key files
Process
...
Copy the new certificate and key file either to the current certificate directory on the DPOD appliance or to any other directory of your choice.
The current certificate directory is:
...
language | bash |
---|---|
theme | RDark |
system encrypts the communication between end-users and the Web & Admin Consoles with self-signed certificates generated during the installation.
Use the following procedure to replace these certificates:
Make sure you have the custom certificate and key files provided in
.pem
format. If the key file is encrypted, make sure to also have the key passphrase in a.txt
file.
Use the following file names:Code Block custom_cer.pem custom_key.pem custom_key_passphrase.txt (optional)
In a Cell Environment, perform all the steps on the cell manager only.
Log in to DPOD's server using SSH.
Copy the custom certificate file, the custom key file and optionally the custom key passphrase file to
Open the web server configuration file for editing/etc/httpd/conf/certs
.
Generate a new Diffie-Hellman (DH) Group for a more secured TLS session and append the new DH group parameters file to the custom certificate:
Update the SSL Certificate linesCode Block language bash theme RDark viopenssl dhparam -out /etc/httpd/conf/certs/custom_dhparams.pem 2048 cat /etc/httpd/conf/certs/custom_dhparams.pem >> /etc/httpd/conf
/certs/custom_cer.pem
Execute the following commands:
Code Block language bash theme RDark SSLCertificateFile "the new certificate file path" SSLCertificateKeyFile "the new key file path"
SSLCertificateKeyFile needs to point to a key of a "PEM" format.
SSLCertificateFile needs to point to a certificate of a "DER" format.Note The certificate / key can not be stored in a keystore (JKS, PKCS)
Restart the web server
TroubleshootingCode Block language bash theme RDark service httpd restart
Run syntax check on httpd configuration file to make sure certificate and key file path aresed -i 's#^SSLCertificateFile .*#SSLCertificateFile "/etc/httpd/conf/certs/custom_cer.pem"#g' /etc/httpd/conf/httpd.conf sed -i 's#^SSLCertificateKeyFile .*#SSLCertificateKeyFile "/etc/httpd/conf/certs/custom_key.pem"#g' /etc/httpd/conf/httpd.conf
If the key file is encrypted, create a script named
custom_key_passphrase.sh
:Code Block vi /etc/httpd/conf/certs/custom_key_passphrase.sh
with the following content:
Code Block #!/bin/sh cat /etc/httpd/conf/certs/custom_key_passphrase.txt
and execute the following commands:
Code Block chmod +x /etc/httpd/conf/certs/custom_key_passphrase.sh sed -i "/^SSLPassPhraseDialog /d" /etc/httpd/conf/httpd.conf sed -i '/^SSLCertificateKeyFile /a SSLPassPhraseDialog exec:/etc/httpd/conf/certs/custom_key_passphrase.sh' /etc/httpd/conf/httpd.conf
Run a syntax check on the
httpd
configuration file to make sure the configuration is valid:
themeCode Block language bash RDark apachectl -t
Valid output
should be : "Syntax OK"
Wrong certificate path : "SSLCertificateFile: file:
Code Block language bash Syntax OK
Invalid output:
DPODCode Block AH00526: Syntax error on line 541 of /etc/httpd/conf/httpd.conf: SSLCertificateFile: file '/etc/httpd/conf/certs/
cercustom_cer.
empty"pem' does not exist or is
empty
Restart the web server:
Code Block language bash service httpd restart
Troubleshooting
Make sure the certificate
and keyfile
format are valid
Check key file formatis valid:
Code Block language bash theme RDark
rsaopenssl
inx509 -
DPOD.keyinform
check Valid output : RSA key ok writing RSA keyPEM -
in /etc/httpd/conf/certs/custom_cer.pem
Valid output:
RSA PRIVATE KEYCode Block language bash -----BEGIN
MIIEowIBAAKCAQEA6ti29asWLikNHmici/2SjgkQWjfrzw6n2l2AQ2AxzVPGwnoy POHWTz5+0H+WYfy0NgRNEn1KvcBqJtk26cM4NUhgdi7qP5g11u/1nkGqdJiPK3Dx BdivYLnJEQF6gvK57nzUHkEHMLc93zTJql+O5dUgjKdkG/DnIIPl9gXUuW33lo5V jftvMtdSoFIJ4SVMtriSTmE8CGH49CqVu03Qp5jhfAmz83V07QcD6YpBe9MD/fdE hwY/Y+kH+A1mBchAGTDLLz7O8a2FYoMHgkycDuiZuIBiSzSaV6Tf/my8n4F8c+kq c2fFTqHZmW0H8dMRi2RNRgvQ6Kn8joN7Tev4xQIDAQABAoIBAQDoitrv/A8keiWx XKjWvanm1vbIPuNSzhJLWZZuIMxvomsHm3QvcPiC00FDN3MzZ8UST8P5cPMXXXY/ LYsAgfwgVqCdperyOcfmIwm1QRSGC6KIw3cF8QAH6S89lZc4Hx0ZF6X6py11gZzU bjLab3DSB+4JGJ86Q5q5SaHlsPRo/qMWK934XvWpq/DejXFgEbVvGdUczafj7i8b 5gwKeVjJnEiXYH7IeayOJv1o9awlWRy0c/eAZ6nosAfQU3QFnpGKwNRlwbC2S6z2 HAaIF9wZt3qaTQV9gw4SwkO5RJTgCAMsC1EFgzby8dCsoK4pHjTeTTHhoHNCNs26 izolmLYBAoGBAPs5b+i4vfX8VGaFnaCgDJtS4/xnakHrwJtwGFS4EeMdBh/pDmsP 3rU4W6safuN3YGayt05Luu+5y1iZnioWv7ZsYFKcih5paFcVPf8ysUfdL7tAtfCe DZLxVpTZwct4UJ5ZPsmTBDzQDWv4OGAuyE+noCk4kXrkq1kDOTG6DHFBAoGBAO9P k4JQ4JpGzCk7gl3S604P7Oaq34KRP7+sJZmW2Ll/GOfLKxqmqX+yUej0lm+rssou QJHND7PdC3ctKGPsPvT8nDZeFqW5LXGEC2kqYZUvIMi/isIsfdN8TR21MRNkcZc2 1IV/ZhBhMfkaiZPxiwGG2Q5SKD0/Nxcr6iXJSqKFAoGAXZJFJm85AdgcL5tw3JUA XRIArNBv+WGv+bVEurlcoDT9RQFvR10/3EvDiPVzcZHTLC1ArT7zv7p6DOQazx5u BapULjD0GOO140mcL+NXuKaf0qUFnzufXq3ZS9PXpMuJa5FeG4JQv73WYfKwPNLv 9QtAUlophZaKY7sZoHXlkIECgYAWdeqLVZnvAOwShqJSugQZvIbok2sM7yMDk12o D69hoZstzjTKeI/6CzuC2MnxyzSpozOuO4fYwstbsSJUVo0GI1tqAuSvQzUPrWwA v9iOzvCNxuR4GwLoQYdfXW0wu8GphpzltrJWoTi2f5YgC5CXYReoL2/VZ8R86UM9 rqnRnQKBgAvWFGBFfOzdGlMET+Ym5HyvzK/at4e2b9TP8qAjMqGpEpVv+pU8c/rt Xz1eZNk9ptBIJiPlYaNPNM/75tQ1AMNlg0Sv9RzowsG8EJr5oSIq3xpulLhTFb8G 1gEARgpDLMdcsHVwjdW7lCCG+cA8ayyo0BVk/WONnUNCGQAMouSnCERTIFICATE-----
RSA PRIVATE KEYMIIDDzCCAfegAwIBAgIJAIjhDQNZ4I2xMA0GCSqGSIb3DQEBCwUAMB4xHDAaBgNV BAMME09wZXJhdGlvbnNEYXNoYm9hcmQwHhcNMjEwMjIyMTE1ODQ1WhcNMzEwMjIw ... S8kVtQThGaGbexvDlbE6vDmFtwPi5KTroU/T+0vHJ9lwTV1YvWduQ5EsQNlnDcSS GZYv2emdIk3/WcuMV0mqkXjhsw== -----END
Invalid Output :CERTIFICATE-----
Invalid output:
PrivateCode Block language bash unable to load
Key 139695916947264certificate
ANY140583261931328:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting:
PRIVATE KEYCheck certificate file formatTRUSTED
CERTIFICATE
Make sure the key file is valid:
Code Block language bash theme RDark
x509openssl
DPOD.cer -text -noout Valid output : Certificate: Data: Version: 3 (0x2) Serial Number: ab:36:a9:5c:d4:1d:c3:aa Signature Algorithm: sha256WithRSAEncryption Issuer: CN = OperationsDashboard Validity Not Before: May 15 09:09:18 2017 GMT Not After : May 13 09:09:18 2027 GMT Subject: CN = OperationsDashboard Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ea:d8:b6:f5:ab:16:2e:29:0d:1e:68:9c:8b:fd: 92:8e:09:10:5a:37:eb:cf:0e:a7:da:5d:80:43:60: 31:cd:53:c6:c2:7a:32:3c:e1:d6:4f:3e:7e:d0:7f: 96:61:fc:b4:36:04:4d:12:7d:4a:bd:c0:6a:26:d9: 36:e9:c3:38:35:48:60:76:2e:ea:3f:98:35:d6:ef: f5:9e:41:aa:74:98:8f:2b:70:f1:05:d8:af:60:b9: c9:11:01:7a:82:f2:b9:ee:7c:d4:1e:41:07:30:b7: 3d:df:34:c9:aa:5f:8e:e5:d5:20:8c:a7:64:1b:f0: e7:20:83:e5:f6:05:d4:b9:6d:f7:96:8e:55:8d:fb: 6f:32:d7:52:a0:52:09:e1:25:4c:b6:b8:92:4e:61: 3c:08:61:f8:f4:2a:95:bb:4d:d0:a7:98:e1:7c:09: b3:f3:75:74:ed:07:03:e9:8a:41:7b:d3:03:fd:f7: 44:87:06:3f:63:e9:07:f8:0d:66:05:c8:40:19:30: cb:2f:3e:ce:f1:ad:85:62:83:07:82:4c:9c:0e:e8: 99:b8:80:62:4b:34:9a:57:a4:df:fe:6c:bc:9f:81: 7c:73:e9:2a:73:67:c5:4e:a1:d9:99:6d:07:f1:d3: 11:8b:64:4d:46:0b:d0:e8:a9:fc:8e:83:7b:4d:eb: f8:c5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: E7:09:B0:A0:66:32:5F:BD:BF:8E:9E:76:07:02:AB:58:FD:E3:CD:66 X509v3 Authority Key Identifier: keyid:E7:09:B0:A0:66:32:5F:BD:BF:8E:9E:76:07:02:AB:58:FD:E3:CD:66 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 3a:f3:8b:41:31:77:93:c9:28:85:f0:81:31:5c:fb:19:ad:05: 26:81:98:a7:28:e5:6a:35:04:d3:e5:72:fa:f7:3f:50:42:c1: c6:32:da:f0:49:6c:31:b4:c3:5a:9c:b4:64:66:67:2f:e3:87: fe:cc:2c:2f:3b:89:e0:be:6c:c5:be:0a:be:50:e2:cd:40:2f: 90:37:91:8d:4c:48:f6:98:88:53:bc:03:f4:61:70:63:07:5f: 44:dd:8a:8c:9b:d5:5c:d2:cf:b7:35:8b:3d:3a:e2:87:28:67: 40:dc:d6:c2:63:b0:94:29:be:ce:46:28:c0:c5:20:d4:09:a3: f7:dc:7d:d1:18:8d:cc:a8:1c:af:dc:6d:c9:47:c5:aa:23:b8: 74:92:77:ab:76:5c:f8:91:8d:f0:2c:3b:ba:35:c7:1f:d6:91: 34:5d:bf:e6:a1:75:bb:4f:56:c8:b1:b8:2d:84:1c:5a:73:24: e6:9a:dd:7c:06:c3:70:49:2f:22:e4:50:f6:ec:ae:a4:92:20: 07:cd:07:09:c8:81:4f:a2:f9:f7:55:da:72:90:00:a6:09:4b: 7d:b5:58:53:4a:d6:da:08:9e:62:b1:b1:c4:56:34:e1:98:a5: 14:47:4b:1e:60:5a:d5:53:11:d4:c2:c7:84:fc:f6:2d:41:06: 04:e4:e6:ba Invalid Output :unable to load certificate 140583261931328rsa -in
/etc/httpd/conf/certs/custom_key.pem -check
Valid output:
Code Block language bash RSA key ok writing RSA key -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAo88mvSbcYEGfd2dgKwzDmc/ua/FiFfNf+Bi/dw91FtZESBgw WDfgIihvXmEtO/DmJEfV55xJm0Fk49c5j6DXXtjztsC04o6K/0j/2Muztvxq2kck ... sGX1E9E14G4itq8juxQo1VjqpC6AgbiVAlLpL1NAjlWstYC0coJrZzcH0dxTaEhs DCxCYclWOYBAiSqf/PjR4nwzYjw2wcvXm7W0n+ZcZWxD9qjLkgjT -----END RSA PRIVATE KEY-----
Invalid output:
TRUSTEDCode Block language bash unable to load Private Key 139695916947264:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting:
CERTIFICATEANY PRIVATE
KEY