Versions Compared

Old Version 15

changes.mady.by.user Amit Munwes

Saved on

compared with

New Version Current

changes.mady.by.user Amit Munwes

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The process described in this page will let an administrator replace the default DPOD Web Console and Admin Console certificate with one signed by the organization.

Before You Begin

You will need:

  • Access to the DPOD appliance
  • The new certificate and key files

Process

...

 Copy the new certificate and key file either to the current certificate directory on the DPOD appliance or to any other directory of your choice.
The current certificate directory is:

...

languagebash
themeRDark

system encrypts the communication between end-users and the Web & Admin Consoles with self-signed certificates generated during the installation.

Use the following procedure to replace these certificates:

  1. Make sure you have the custom certificate and key files provided in .pem format. If the key file is encrypted, make sure to also have the key passphrase in a .txt file.
    Use the following file names:

    Code Block
    custom_cer.pem
custom_key.pem
custom_key_passphrase.txt      (optional)

  2. In a Cell Environment, perform all the steps on the cell manager only.

  3. Log in to DPOD's server using SSH.

  4. Copy the custom certificate file, the custom key file and optionally the custom key passphrase file to /etc/httpd/conf/certs

    Open the web server configuration file for editing

    .

  5. Generate a new Diffie-Hellman (DH) Group for a more secured TLS session and append the new DH group parameters file to the custom certificate:

    Code Block
    languagebash
    themeRDark
    viopenssl dhparam -out /etc/httpd/conf/certs/custom_dhparams.pem 2048
cat /etc/httpd/conf/certs/custom_dhparams.pem >> /etc/httpd/conf
    Update the SSL Certificate lines
    /certs/custom_cer.pem

  6. Execute the following commands:

    Code Block
    languagebash
    themeRDark
    SSLCertificateFile "the new certificate file path"
SSLCertificateKeyFile "the new key file path"

    SSLCertificateKeyFile needs to point to a key of a "PEM" format. 

    SSLCertificateFile needs to point to a certificate of a "DER" format.
    Note

    The certificate / key can not be stored in a keystore (JKS, PKCS)

    Restart the web server

    Code Block
    languagebash
    themeRDark
    service httpd restart
    Troubleshooting
    Run syntax check on httpd configuration file to make sure certificate and key file path are 
    sed -i 's#^SSLCertificateFile .*#SSLCertificateFile "/etc/httpd/conf/certs/custom_cer.pem"#g' /etc/httpd/conf/httpd.conf
sed -i 's#^SSLCertificateKeyFile .*#SSLCertificateKeyFile "/etc/httpd/conf/certs/custom_key.pem"#g' /etc/httpd/conf/httpd.conf

  7. If the key file is encrypted, create a script named custom_key_passphrase.sh:

    Code Block
    vi /etc/httpd/conf/certs/custom_key_passphrase.sh

    with the following content:

    Code Block
    #!/bin/sh
cat /etc/httpd/conf/certs/custom_key_passphrase.txt

    and execute the following commands:

    Code Block
    chmod +x /etc/httpd/conf/certs/custom_key_passphrase.sh
sed -i "/^SSLPassPhraseDialog /d" /etc/httpd/conf/httpd.conf
sed -i '/^SSLCertificateKeyFile /a SSLPassPhraseDialog exec:/etc/httpd/conf/certs/custom_key_passphrase.sh' /etc/httpd/conf/httpd.conf

  8. Run a syntax check on the httpd configuration file to make sure the configuration is valid:

    Code Block
    languagebash
    theme
    RDark
    apachectl -t

    Valid output

    should be : "Syntax OK"
    Wrong certificate path : "SSLCertificateFile: file

    :

    Code Block
    languagebash
    Syntax OK

    Invalid output:

    Code Block
    AH00526: Syntax error on line 541 of /etc/httpd/conf/httpd.conf:
SSLCertificateFile: file '/etc/httpd/conf/certs/
    DPOD
    custom_cer.
    cer
    pem' does not exist or is
    empty"
     empty

  9. Restart the web server:

    Code Block
    languagebash
    service httpd restart

Troubleshooting

  1. Make sure the certificate

    and key

    file

    format are valid
    Check key file format

    is valid:

    Code Block
    languagebash
    themeRDark
    openssl
    rsa
    x509 -
    in
    inform
    DPOD.key
    PEM -
    check Valid output : RSA key ok writing RSA key 
    in /etc/httpd/conf/certs/custom_cer.pem

    Valid output:

    Code Block
    languagebash
    -----BEGIN
    RSA PRIVATE KEY
    CERTIFICATE-----
    MIIEowIBAAKCAQEA6ti29asWLikNHmici/2SjgkQWjfrzw6n2l2AQ2AxzVPGwnoy POHWTz5+0H+WYfy0NgRNEn1KvcBqJtk26cM4NUhgdi7qP5g11u/1nkGqdJiPK3Dx BdivYLnJEQF6gvK57nzUHkEHMLc93zTJql+O5dUgjKdkG/DnIIPl9gXUuW33lo5V jftvMtdSoFIJ4SVMtriSTmE8CGH49CqVu03Qp5jhfAmz83V07QcD6YpBe9MD/fdE hwY/Y+kH+A1mBchAGTDLLz7O8a2FYoMHgkycDuiZuIBiSzSaV6Tf/my8n4F8c+kq c2fFTqHZmW0H8dMRi2RNRgvQ6Kn8joN7Tev4xQIDAQABAoIBAQDoitrv/A8keiWx XKjWvanm1vbIPuNSzhJLWZZuIMxvomsHm3QvcPiC00FDN3MzZ8UST8P5cPMXXXY/ LYsAgfwgVqCdperyOcfmIwm1QRSGC6KIw3cF8QAH6S89lZc4Hx0ZF6X6py11gZzU bjLab3DSB+4JGJ86Q5q5SaHlsPRo/qMWK934XvWpq/DejXFgEbVvGdUczafj7i8b 5gwKeVjJnEiXYH7IeayOJv1o9awlWRy0c/eAZ6nosAfQU3QFnpGKwNRlwbC2S6z2 HAaIF9wZt3qaTQV9gw4SwkO5RJTgCAMsC1EFgzby8dCsoK4pHjTeTTHhoHNCNs26 izolmLYBAoGBAPs5b+i4vfX8VGaFnaCgDJtS4/xnakHrwJtwGFS4EeMdBh/pDmsP 3rU4W6safuN3YGayt05Luu+5y1iZnioWv7ZsYFKcih5paFcVPf8ysUfdL7tAtfCe DZLxVpTZwct4UJ5ZPsmTBDzQDWv4OGAuyE+noCk4kXrkq1kDOTG6DHFBAoGBAO9P k4JQ4JpGzCk7gl3S604P7Oaq34KRP7+sJZmW2Ll/GOfLKxqmqX+yUej0lm+rssou QJHND7PdC3ctKGPsPvT8nDZeFqW5LXGEC2kqYZUvIMi/isIsfdN8TR21MRNkcZc2 1IV/ZhBhMfkaiZPxiwGG2Q5SKD0/Nxcr6iXJSqKFAoGAXZJFJm85AdgcL5tw3JUA XRIArNBv+WGv+bVEurlcoDT9RQFvR10/3EvDiPVzcZHTLC1ArT7zv7p6DOQazx5u BapULjD0GOO140mcL+NXuKaf0qUFnzufXq3ZS9PXpMuJa5FeG4JQv73WYfKwPNLv 9QtAUlophZaKY7sZoHXlkIECgYAWdeqLVZnvAOwShqJSugQZvIbok2sM7yMDk12o D69hoZstzjTKeI/6CzuC2MnxyzSpozOuO4fYwstbsSJUVo0GI1tqAuSvQzUPrWwA v9iOzvCNxuR4GwLoQYdfXW0wu8GphpzltrJWoTi2f5YgC5CXYReoL2/VZ8R86UM9 rqnRnQKBgAvWFGBFfOzdGlMET+Ym5HyvzK/at4e2b9TP8qAjMqGpEpVv+pU8c/rt Xz1eZNk9ptBIJiPlYaNPNM/75tQ1AMNlg0Sv9RzowsG8EJr5oSIq3xpulLhTFb8G 1gEARgpDLMdcsHVwjdW7lCCG+cA8ayyo0BVk/WONnUNCGQAMouSn
    MIIDDzCCAfegAwIBAgIJAIjhDQNZ4I2xMA0GCSqGSIb3DQEBCwUAMB4xHDAaBgNV
BAMME09wZXJhdGlvbnNEYXNoYm9hcmQwHhcNMjEwMjIyMTE1ODQ1WhcNMzEwMjIw
...
S8kVtQThGaGbexvDlbE6vDmFtwPi5KTroU/T+0vHJ9lwTV1YvWduQ5EsQNlnDcSS
GZYv2emdIk3/WcuMV0mqkXjhsw==
-----END
    RSA PRIVATE KEY
    CERTIFICATE-----
    Invalid Output :
    Invalid output:
     Code Block
    languagebash
    unable to load 
    Private
    certificate 
    Key 139695916947264
    140583261931328:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting: 
    ANY
    TRUSTED 
    PRIVATE KEYCheck certificate file format
    CERTIFICATE
  2. Make sure the key file is valid:
     Code Block
    languagebash
    themeRDark
    openssl 
    x509
    rsa -in 
    DPOD.cer -text -noout
Valid output :
Certificate: Data: Version: 3 (0x2) Serial Number: ab:36:a9:5c:d4:1d:c3:aa Signature Algorithm: sha256WithRSAEncryption Issuer: CN = OperationsDashboard Validity Not Before: May 15 09:09:18 2017 GMT Not After : May 13 09:09:18 2027 GMT Subject: CN = OperationsDashboard Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ea:d8:b6:f5:ab:16:2e:29:0d:1e:68:9c:8b:fd: 92:8e:09:10:5a:37:eb:cf:0e:a7:da:5d:80:43:60: 31:cd:53:c6:c2:7a:32:3c:e1:d6:4f:3e:7e:d0:7f: 96:61:fc:b4:36:04:4d:12:7d:4a:bd:c0:6a:26:d9: 36:e9:c3:38:35:48:60:76:2e:ea:3f:98:35:d6:ef: f5:9e:41:aa:74:98:8f:2b:70:f1:05:d8:af:60:b9: c9:11:01:7a:82:f2:b9:ee:7c:d4:1e:41:07:30:b7: 3d:df:34:c9:aa:5f:8e:e5:d5:20:8c:a7:64:1b:f0: e7:20:83:e5:f6:05:d4:b9:6d:f7:96:8e:55:8d:fb: 6f:32:d7:52:a0:52:09:e1:25:4c:b6:b8:92:4e:61: 3c:08:61:f8:f4:2a:95:bb:4d:d0:a7:98:e1:7c:09: b3:f3:75:74:ed:07:03:e9:8a:41:7b:d3:03:fd:f7: 44:87:06:3f:63:e9:07:f8:0d:66:05:c8:40:19:30: cb:2f:3e:ce:f1:ad:85:62:83:07:82:4c:9c:0e:e8: 99:b8:80:62:4b:34:9a:57:a4:df:fe:6c:bc:9f:81: 7c:73:e9:2a:73:67:c5:4e:a1:d9:99:6d:07:f1:d3: 11:8b:64:4d:46:0b:d0:e8:a9:fc:8e:83:7b:4d:eb: f8:c5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: E7:09:B0:A0:66:32:5F:BD:BF:8E:9E:76:07:02:AB:58:FD:E3:CD:66 X509v3 Authority Key Identifier: keyid:E7:09:B0:A0:66:32:5F:BD:BF:8E:9E:76:07:02:AB:58:FD:E3:CD:66 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha256WithRSAEncryption 3a:f3:8b:41:31:77:93:c9:28:85:f0:81:31:5c:fb:19:ad:05: 26:81:98:a7:28:e5:6a:35:04:d3:e5:72:fa:f7:3f:50:42:c1: c6:32:da:f0:49:6c:31:b4:c3:5a:9c:b4:64:66:67:2f:e3:87: fe:cc:2c:2f:3b:89:e0:be:6c:c5:be:0a:be:50:e2:cd:40:2f: 90:37:91:8d:4c:48:f6:98:88:53:bc:03:f4:61:70:63:07:5f: 44:dd:8a:8c:9b:d5:5c:d2:cf:b7:35:8b:3d:3a:e2:87:28:67: 40:dc:d6:c2:63:b0:94:29:be:ce:46:28:c0:c5:20:d4:09:a3: f7:dc:7d:d1:18:8d:cc:a8:1c:af:dc:6d:c9:47:c5:aa:23:b8: 74:92:77:ab:76:5c:f8:91:8d:f0:2c:3b:ba:35:c7:1f:d6:91: 34:5d:bf:e6:a1:75:bb:4f:56:c8:b1:b8:2d:84:1c:5a:73:24: e6:9a:dd:7c:06:c3:70:49:2f:22:e4:50:f6:ec:ae:a4:92:20: 07:cd:07:09:c8:81:4f:a2:f9:f7:55:da:72:90:00:a6:09:4b: 7d:b5:58:53:4a:d6:da:08:9e:62:b1:b1:c4:56:34:e1:98:a5: 14:47:4b:1e:60:5a:d5:53:11:d4:c2:c7:84:fc:f6:2d:41:06: 04:e4:e6:ba


Invalid Output :unable to load certificate 140583261931328
    /etc/httpd/conf/certs/custom_key.pem -check
    Valid output:
     Code Block
    languagebash
    RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAo88mvSbcYEGfd2dgKwzDmc/ua/FiFfNf+Bi/dw91FtZESBgw
WDfgIihvXmEtO/DmJEfV55xJm0Fk49c5j6DXXtjztsC04o6K/0j/2Muztvxq2kck
...
sGX1E9E14G4itq8juxQo1VjqpC6AgbiVAlLpL1NAjlWstYC0coJrZzcH0dxTaEhs
DCxCYclWOYBAiSqf/PjR4nwzYjw2wcvXm7W0n+ZcZWxD9qjLkgjT
-----END RSA PRIVATE KEY-----
    Invalid output:
     Code Block
    languagebash
    unable to load Private Key 139695916947264:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting: 
    TRUSTED
    ANY PRIVATE 
    CERTIFICATE
    KEY