Versions Compared

Old Version 20

changes.mady.by.user Amit Munwes

Saved on

compared with

New Version Current

changes.mady.by.user Amit Munwes

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Use the following procedure to replace these certificates:

  1. Make sure you have the new custom certificate and key files provided in .pem format. If the key file is encrypted, make sure to also have the key passphrase in a .txt file.
    Use the following file names:

    Code Block
    custom_cer.pem
custom_key.pem
custom_key_passphrase.txt      (optional)

  2. In a Cell Environment, perform all the steps on the cell manager only.

  3. Log in to DPOD's server using SSH.

  4. Copy the new certificate and key files either to the current certificate directory on the DPOD appliance or to any other directory of your choice.
    The current certificate directory is custom certificate file, the custom key file and optionally the custom key passphrase file to /etc/httpd/conf/certs.

  5. Generate a new Diffie-Hellman (DH) Group for a more secured TLS session and append the new DH group parameters file to the custom certificate:

    Code Block
    languagebash
    openssl dhparam -out /etc/httpd/conf/certs/custom_dhparams.pem 2048

    Append the new DH group parameters file to the new certificate

    Code Block
    languagebash
    
cat /etc/httpd/conf/certs/custom_dhparams.pem >> /etc/httpd/conf/certs/Newcustom_DPOD_Cercer.cer
    See an example of the certificate file below
    pem

  6. Execute the following commands:

    Code Block
    -----BEGIN CERTIFICATE-----
MIIDDzCCAfegAwIBAgIJAIjhDQNZ4I2xMA0GCSqGSIb3DQEBCwUAMB4xHDAaBgNV
BAMME09wZXJhdGlvbnNEYXNoYm9hcmQwHhcNMjEwMjIyMTE1ODQ1WhcNMzEwMjIw
MTE1ODQ1WjAeMRwwGgYDVQQDDBNPcGVyYXRpb25zRGFzaGJvYXJkMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo88mvSbcYEGfd2dgKwzDmc/ua/FiFfNf
+Bi/dw91FtZESBgwWDfgIihvXmEtO/DmJEfV55xJm0Fk49c5j6DXXtjztsC04o6K
/0j/2Muztvxq2kckI+yv+jCrw6LxQN+wft03mHP/R6V/F74rEMc5kdx5X5HFA8Fh
qFEH154DLp4MGsvbkU7CEjQw6VMj3M3m1ot/m0RkAgGIs7oH2E58VqJfhps2pqCC
fXNVrPSG8pSykKt/ZL1oYr33DQD3zvn68aBpuChwNt8enPqytTJiaJuDD6y9KcRO
tLbRi5jWU8HSkqztfxr3ohCGdb61tkwr9Vn969mtqwv8GXsxSyI4IwIDAQABo1Aw
TjAdBgNVHQ4EFgQU55Uu4PnL9s1sIY/H25gABo23w8swHwYDVR0jBBgwFoAU55Uu
4PnL9s1sIY/H25gABo23w8swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AQEAA1z1KHkxotKGlxNYdz9dKunpMKsRpE6hEzIvEI3ZU+1Is007AHelXBeRidN0
eHqVdcgOPn1EamEXjgqp7weXlPKyKlZGPdRD9hJR1/XvTuPBaJ/rI+NJkPQpfysY
hWM32rMXuqQn6UUrPT9N7s+m4ArQmoQu3+ZipgGspQrSKW0xxq0d1n15RiC6UuJo
ggKUYB4Gw3lOi6oKxX91NqhkVOzmaM7ok/Z+rOM6X6M2bC2KWN6IYjW688RiJE8j
S8kVtQThGaGbexvDlbE6vDmFtwPi5KTroU/T+0vHJ9lwTV1YvWduQ5EsQNlnDcSS
GZYv2emdIk3/WcuMV0mqkXjhsw==
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA+SfHDxWo0BRXc/BxfJHZVkHtk16RmBHHiKv5HDOuhl1raZIEbJ2H
8e5Q0GVCxe30F7Cr66Wfx4jaHVQqkZ+YxuWLqDlHWUYeGPwXXdMXQtuQpPmfSbaT
fb+dJ1OT4T5qRttzRWqlu+ZeKeYkOFMO7XqMcDMtMx8cCh6smtkPkG69Tb8cm0l8
0JQuSpRiqYq94pLAf1ReY2jFIWMEtGz4dwSBi7QD+Ncs0rPFecQPPFmmGp1hTeNf
NhJHSMvkQrEiX7RHZVZVZ8ovwC9IzID5m2UgmDQ8/TgiBA9WyngswBFSglNvP9dK
pb23nP4rDQ7sL307eponbeL/BsNUE4BeqwIBAg==
-----END DH PARAMETERS-----

    Open the web server configuration file for editing:

    Code Block
    languagebash
    languagebash
    sed -i 's#^SSLCertificateFile .*#SSLCertificateFile "/etc/httpd/conf/certs/custom_cer.pem"#g' /etc/httpd/conf/httpd.conf
sed -i 's#^SSLCertificateKeyFile .*#SSLCertificateKeyFile "/etc/httpd/conf/certs/custom_key.pem"#g' /etc/httpd/conf/httpd.conf

  7. If the key file is encrypted, create a script named custom_key_passphrase.sh:

    Code Block
    vi /etc/httpd/conf/httpd.conf

  8. Update the SSL Certificate lines:

    Code Block
    languagebash
    SSLCertificateFile "the new certificate file path"
SSLCertificateKeyFile "the new key file path"

    SSLCertificateKeyFile needs to point to a key of a "PEM" format. 

    SSLCertificateFile needs to point to a certificate of a "PEM" format.
    Note: The certificate / key cannot be stored in a keystore (JKS, PKCS).

  9. Restart the web server:

    Code Block
    languagebash
    service httpd restart

Troubleshooting

  1. Run 
    certs/custom_key_passphrase.sh

    with the following content:

    Code Block
    #!/bin/sh
cat /etc/httpd/conf/certs/custom_key_passphrase.txt

    and execute the following commands:

    Code Block
    chmod +x /etc/httpd/conf/certs/custom_key_passphrase.sh
sed -i "/^SSLPassPhraseDialog /d" /etc/httpd/conf/httpd.conf
sed -i '/^SSLCertificateKeyFile /a SSLPassPhraseDialog exec:/etc/httpd/conf/certs/custom_key_passphrase.sh' /etc/httpd/conf/httpd.conf

  2. Run a syntax check on the httpd configuration file to make sure the certificate and key file paths are configuration is valid:

    Code Block
    languagebash
    apachectl -t

    Valid output should be : "Syntax OK"
    Wrong certificate path: "SSLCertificateFile: file :

    Code Block
    languagebash
    Syntax OK

    Invalid output:

    Code Block
    AH00526: Syntax error on line 541 of /etc/httpd/conf/httpd.conf:
SSLCertificateFile: file '/etc/httpd/conf/certs/
    DPOD
    custom_cer.
    cer
    pem' does not exist or is
    empty"
     empty

  3. Restart the web server:

    Code Block
    languagebash
    service httpd restart

Troubleshooting

  1. Make sure the certificate and key file formats are valid.
    Check key file formatis valid:

    Code Block
    languagebash
    openssl rsax509 -ininform DPOD.keyPEM -check

Valid output:
RSA key ok
writing RSA key
in /etc/httpd/conf/certs/custom_cer.pem

    Valid output:

    Code Block
    languagebash
    -----BEGIN RSA PRIVATE KEYCERTIFICATE-----
MIIEowIBAAKCAQEAo88mvSbcYEGfd2dgKwzDmc/ua/FiFfNf+Bi/dw91FtZESBgw
WDfgIihvXmEtO/DmJEfV55xJm0Fk49c5j6DXXtjztsC04o6K/0j/2Muztvxq2kck
I+yv+jCrw6LxQN+wft03mHP/R6V/F74rEMc5kdx5X5HFA8FhqFEH154DLp4MGsvb
kU7CEjQw6VMj3M3m1ot/m0RkAgGIs7oH2E58VqJfhps2pqCCfXNVrPSG8pSykKt/
ZL1oYr33DQD3zvn68aBpuChwNt8enPqytTJiaJuDD6y9KcROtLbRi5jWU8HSkqzt
fxr3ohCGdb61tkwr9Vn969mtqwv8GXsxSyI4IwIDAQABAoIBAErv8Dvl9DkArE/2
dbMcArtxuROeeI2sKcIYqDZyVtFcsh39GtiwrxNRRil58TSTruT4C+4JvE6PKvVk
N0vye7RDMbLwE4/1P7crkQd/oLZcYRF8LBdXJuYgr+Muvok8C8TttIpEvorrNeoJ
sC/bxAVrRAcpa2SdaeyTLTBBdBk1roTbTkqeR6DK6yaOg9eJfFi9twjqxB2eAJlk
TsXf/ltviuczPFOHNzl3jsuY4oJ2G+cAKqhaDK/Uz1PC61onpJToWDRqliE25pEa
/eE6mLazoipbTGNGwGtuK1wn8p8wl9eTg6V4uYs4sUts0z65gEUn5yH9NadKqRH4
SIUYrBkCgYEA2ZDo1mCQVvmFdmkhR+lqIewo26T+gFujLrrOMKuGI4QVWrbHF9Gl
8nEa76FZWrkkXosOKBstdZkTy7A2Iod47sfb5KbPc1oKmZ3B4uKIi+lJ5IwuVhz2
bxlGjZnaZCJRPMltweT72X+Bk8g7aDQtvO5cni82BDlGeaQV5VySJ3cCgYEAwL8r
h64a0F+xz724IKLMXHnt+BJd/myRnb/f7XWg6+7KEWIP2C0Gj82lrjak5cBNi/vh
PnPHxAw2IGTTPij4N2g82vYEUktfWCA1+iFnVIJw6AG1n/BRWNjjByMcv/RKwhnK
J0xzMtVXLVIjiPnVjjsVR6z1kYx6X8cBhpksd7UCgYEAokuu5Pxzr+3C2WnjIbnF
Kjj44aBbGXVCbYF8fmH1VlkZdOoT6njByfEFnuxFs5+Yuc4RaWmcp7ThR3jTaT6V
v8nnBtJIvkvUzHMaRx2lrnkAXjUT+7jvPEEmmErE1x2ibC32akVeegjbqFodtsX1
uJI3FOky6kOvht4YV1iOzlECgYBh47Uz31R252Li4rOUv5mSjcox5wIdqP37Y+tS
Kh9kM44kbe0mGRfwCL1QUShGFvhLU8z9bsfR5XHH2ez+8Me/PA1MFw3yzZzKoPFI
65YS8XxuGBAp/l8SBHSot0hupJ8jHP3yH32SH4960PCDLH8tEQyprkm5deLgqa04
sqpG0QKBgCosnE6SFY8rBakV9E5YM7ug5sGZ/jBGXtxCmRBB0VpiGQIdiS7DyAlC
sGX1E9E14G4itq8juxQo1VjqpC6AgbiVAlLpL1NAjlWstYC0coJrZzcH0dxTaEhs
DCxCYclWOYBAiSqf/PjR4nwzYjw2wcvXm7W0n+ZcZWxD9qjLkgjT
MIIDDzCCAfegAwIBAgIJAIjhDQNZ4I2xMA0GCSqGSIb3DQEBCwUAMB4xHDAaBgNV
BAMME09wZXJhdGlvbnNEYXNoYm9hcmQwHhcNMjEwMjIyMTE1ODQ1WhcNMzEwMjIw
...
S8kVtQThGaGbexvDlbE6vDmFtwPi5KTroU/T+0vHJ9lwTV1YvWduQ5EsQNlnDcSS
GZYv2emdIk3/WcuMV0mqkXjhsw==
-----END RSA PRIVATE KEYCERTIFICATE-----


Invalid Output:

    Invalid output:

    Code Block
    languagebash
    unable to load Privatecertificate Key 139695916947264140583261931328:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting: ANYTRUSTED PRIVATE KEY
    Check certificate file format
    CERTIFICATE

  2. Make sure the key file is valid:

    Code Block
    languagebash
    openssl x509rsa -inform PEM -in DPOD.cer

Valid output:in /etc/httpd/conf/certs/custom_key.pem -check

    Valid output:

    Code Block
    languagebash
    RSA key ok
writing RSA key
-----BEGIN CERTIFICATERSA PRIVATE KEY-----
MIIDDzCCAfegAwIBAgIJAIjhDQNZ4I2xMA0GCSqGSIb3DQEBCwUAMB4xHDAaBgNV
BAMME09wZXJhdGlvbnNEYXNoYm9hcmQwHhcNMjEwMjIyMTE1ODQ1WhcNMzEwMjIw
MTE1ODQ1WjAeMRwwGgYDVQQDDBNPcGVyYXRpb25zRGFzaGJvYXJkMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo88mvSbcYEGfd2dgKwzDmcMIIEowIBAAKCAQEAo88mvSbcYEGfd2dgKwzDmc/ua/FiFfNf
+Bi/dw91FtZESBgwWDfgIihvXmEtOdw91FtZESBgw
WDfgIihvXmEtO/DmJEfV55xJm0Fk49c5j6DXXtjztsC04o6K
/0j/2Muztvxq2kckI+yv+jCrw6LxQN+wft03mHP/R6V/F74rEMc5kdx5X5HFA8Fh
qFEH154DLp4MGsvbkU7CEjQw6VMj3M3m1ot/m0RkAgGIs7oH2E58VqJfhps2pqCC
fXNVrPSG8pSykKt/ZL1oYr33DQD3zvn68aBpuChwNt8enPqytTJiaJuDD6y9KcRO
tLbRi5jWU8HSkqztfxr3ohCGdb61tkwr9Vn969mtqwv8GXsxSyI4IwIDAQABo1Aw
TjAdBgNVHQ4EFgQU55Uu4PnL9s1sIY/H25gABo23w8swHwYDVR0jBBgwFoAU55Uu
4PnL9s1sIY/H25gABo23w8swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AQEAA1z1KHkxotKGlxNYdz9dKunpMKsRpE6hEzIvEI3ZU+1Is007AHelXBeRidN0
eHqVdcgOPn1EamEXjgqp7weXlPKyKlZGPdRD9hJR1/XvTuPBaJ/rI+NJkPQpfysY
hWM32rMXuqQn6UUrPT9N7s+m4ArQmoQu3+ZipgGspQrSKW0xxq0d1n15RiC6UuJo
ggKUYB4Gw3lOi6oKxX91NqhkVOzmaM7ok/Z+rOM6X6M2bC2KWN6IYjW688RiJE8j
S8kVtQThGaGbexvDlbE6vDmFtwPi5KTroU/T+0vHJ9lwTV1YvWduQ5EsQNlnDcSS
GZYv2emdIk3/WcuMV0mqkXjhsw==2Muztvxq2kck
...
sGX1E9E14G4itq8juxQo1VjqpC6AgbiVAlLpL1NAjlWstYC0coJrZzcH0dxTaEhs
DCxCYclWOYBAiSqf/PjR4nwzYjw2wcvXm7W0n+ZcZWxD9qjLkgjT
-----END CERTIFICATERSA PRIVATE KEY-----


Invalid Output:

    Invalid output:

    Code Block
    languagebash
    unable to load certificatePrivate Key 140583261931328139695916947264:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting: ANY TRUSTEDPRIVATE CERTIFICATEKEY