...
Use the following procedure to replace these certificates:
Make sure you have the new custom certificate and key files provided in
.pem
format. If the key file is encrypted, make sure to also have the key passphrase in a.txt
file.
Use the following file names:Code Block custom_cer.pem custom_key.pem custom_key_passphrase.txt (optional)
In a Cell Environment, perform all the steps on the cell manager only.
Log in to DPOD's server using SSH.
Copy the new certificate and key files either to the current certificate directory on the DPOD appliance or to any other directory of your choice.
The current certificate directory is custom certificate file, the custom key file and optionally the custom key passphrase file to/etc/httpd/conf/certs
.Generate a new Diffie-Hellman (DH) Group for a more secured TLS session and append the new DH group parameters file to the custom certificate:
Code Block language bash openssl dhparam -out /etc/httpd/conf/certs/custom_dhparams.pem 2048
Append the new DH group parameters file to the new certificate
See an example of the certificate file belowCode Block language bash cat /etc/httpd/conf/certs/custom_dhparams.pem >> /etc/httpd/conf/certs/Newcustom_DPOD_Cercer.cer
pem
Execute the following commands:
Code Block -----BEGIN CERTIFICATE----- MIIDDzCCAfegAwIBAgIJAIjhDQNZ4I2xMA0GCSqGSIb3DQEBCwUAMB4xHDAaBgNV BAMME09wZXJhdGlvbnNEYXNoYm9hcmQwHhcNMjEwMjIyMTE1ODQ1WhcNMzEwMjIw MTE1ODQ1WjAeMRwwGgYDVQQDDBNPcGVyYXRpb25zRGFzaGJvYXJkMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo88mvSbcYEGfd2dgKwzDmc/ua/FiFfNf +Bi/dw91FtZESBgwWDfgIihvXmEtO/DmJEfV55xJm0Fk49c5j6DXXtjztsC04o6K /0j/2Muztvxq2kckI+yv+jCrw6LxQN+wft03mHP/R6V/F74rEMc5kdx5X5HFA8Fh qFEH154DLp4MGsvbkU7CEjQw6VMj3M3m1ot/m0RkAgGIs7oH2E58VqJfhps2pqCC fXNVrPSG8pSykKt/ZL1oYr33DQD3zvn68aBpuChwNt8enPqytTJiaJuDD6y9KcRO tLbRi5jWU8HSkqztfxr3ohCGdb61tkwr9Vn969mtqwv8GXsxSyI4IwIDAQABo1Aw TjAdBgNVHQ4EFgQU55Uu4PnL9s1sIY/H25gABo23w8swHwYDVR0jBBgwFoAU55Uu 4PnL9s1sIY/H25gABo23w8swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC AQEAA1z1KHkxotKGlxNYdz9dKunpMKsRpE6hEzIvEI3ZU+1Is007AHelXBeRidN0 eHqVdcgOPn1EamEXjgqp7weXlPKyKlZGPdRD9hJR1/XvTuPBaJ/rI+NJkPQpfysY hWM32rMXuqQn6UUrPT9N7s+m4ArQmoQu3+ZipgGspQrSKW0xxq0d1n15RiC6UuJo ggKUYB4Gw3lOi6oKxX91NqhkVOzmaM7ok/Z+rOM6X6M2bC2KWN6IYjW688RiJE8j S8kVtQThGaGbexvDlbE6vDmFtwPi5KTroU/T+0vHJ9lwTV1YvWduQ5EsQNlnDcSS GZYv2emdIk3/WcuMV0mqkXjhsw== -----END CERTIFICATE----- -----BEGIN DH PARAMETERS----- MIIBCAKCAQEA+SfHDxWo0BRXc/BxfJHZVkHtk16RmBHHiKv5HDOuhl1raZIEbJ2H 8e5Q0GVCxe30F7Cr66Wfx4jaHVQqkZ+YxuWLqDlHWUYeGPwXXdMXQtuQpPmfSbaT fb+dJ1OT4T5qRttzRWqlu+ZeKeYkOFMO7XqMcDMtMx8cCh6smtkPkG69Tb8cm0l8 0JQuSpRiqYq94pLAf1ReY2jFIWMEtGz4dwSBi7QD+Ncs0rPFecQPPFmmGp1hTeNf NhJHSMvkQrEiX7RHZVZVZ8ovwC9IzID5m2UgmDQ8/TgiBA9WyngswBFSglNvP9dK pb23nP4rDQ7sL307eponbeL/BsNUE4BeqwIBAg== -----END DH PARAMETERS-----
Open the web server configuration file for editing:
Code Block language bash language bash sed -i 's#^SSLCertificateFile .*#SSLCertificateFile "/etc/httpd/conf/certs/custom_cer.pem"#g' /etc/httpd/conf/httpd.conf sed -i 's#^SSLCertificateKeyFile .*#SSLCertificateKeyFile "/etc/httpd/conf/certs/custom_key.pem"#g' /etc/httpd/conf/httpd.conf
If the key file is encrypted, create a script named
custom_key_passphrase.sh
:Code Block vi /etc/httpd/conf/httpd.conf
Update the SSL Certificate lines:
Code Block language bash SSLCertificateFile "the new certificate file path" SSLCertificateKeyFile "the new key file path"
SSLCertificateKeyFile needs to point to a key of a "PEM" format.
SSLCertificateFile needs to point to a certificate of a "PEM" format.
Note: The certificate / key cannot be stored in a keystore (JKS, PKCS).Restart the web server:
Code Block language bash service httpd restart
Troubleshooting
- Run
certs/custom_key_passphrase.sh
with the following content:
Code Block #!/bin/sh cat /etc/httpd/conf/certs/custom_key_passphrase.txt
and execute the following commands:
Code Block chmod +x /etc/httpd/conf/certs/custom_key_passphrase.sh sed -i "/^SSLPassPhraseDialog /d" /etc/httpd/conf/httpd.conf sed -i '/^SSLCertificateKeyFile /a SSLPassPhraseDialog exec:/etc/httpd/conf/certs/custom_key_passphrase.sh' /etc/httpd/conf/httpd.conf
Run a syntax check on the
httpd
configuration file to make sure the certificate and key file paths are configuration is valid:Code Block language bash apachectl -t
Valid output should be : "Syntax OK"
Wrong certificate path: "SSLCertificateFile: file :Code Block language bash Syntax OK
Invalid output:
DPODCode Block AH00526: Syntax error on line 541 of /etc/httpd/conf/httpd.conf: SSLCertificateFile: file '/etc/httpd/conf/certs/
cercustom_cer.
empty"pem' does not exist or is
empty
Restart the web server:
Code Block language bash service httpd restart
Troubleshooting
Make sure the certificate and key file formats are valid.
Check key file formatis valid:Code Block language bash openssl rsax509 -ininform DPOD.keyPEM -check Valid output: RSA key ok writing RSA key in /etc/httpd/conf/certs/custom_cer.pem
Valid output:
Code Block language bash -----BEGIN RSA PRIVATE KEYCERTIFICATE----- MIIEowIBAAKCAQEAo88mvSbcYEGfd2dgKwzDmc/ua/FiFfNf+Bi/dw91FtZESBgw WDfgIihvXmEtO/DmJEfV55xJm0Fk49c5j6DXXtjztsC04o6K/0j/2Muztvxq2kck I+yv+jCrw6LxQN+wft03mHP/R6V/F74rEMc5kdx5X5HFA8FhqFEH154DLp4MGsvb kU7CEjQw6VMj3M3m1ot/m0RkAgGIs7oH2E58VqJfhps2pqCCfXNVrPSG8pSykKt/ ZL1oYr33DQD3zvn68aBpuChwNt8enPqytTJiaJuDD6y9KcROtLbRi5jWU8HSkqzt fxr3ohCGdb61tkwr9Vn969mtqwv8GXsxSyI4IwIDAQABAoIBAErv8Dvl9DkArE/2 dbMcArtxuROeeI2sKcIYqDZyVtFcsh39GtiwrxNRRil58TSTruT4C+4JvE6PKvVk N0vye7RDMbLwE4/1P7crkQd/oLZcYRF8LBdXJuYgr+Muvok8C8TttIpEvorrNeoJ sC/bxAVrRAcpa2SdaeyTLTBBdBk1roTbTkqeR6DK6yaOg9eJfFi9twjqxB2eAJlk TsXf/ltviuczPFOHNzl3jsuY4oJ2G+cAKqhaDK/Uz1PC61onpJToWDRqliE25pEa /eE6mLazoipbTGNGwGtuK1wn8p8wl9eTg6V4uYs4sUts0z65gEUn5yH9NadKqRH4 SIUYrBkCgYEA2ZDo1mCQVvmFdmkhR+lqIewo26T+gFujLrrOMKuGI4QVWrbHF9Gl 8nEa76FZWrkkXosOKBstdZkTy7A2Iod47sfb5KbPc1oKmZ3B4uKIi+lJ5IwuVhz2 bxlGjZnaZCJRPMltweT72X+Bk8g7aDQtvO5cni82BDlGeaQV5VySJ3cCgYEAwL8r h64a0F+xz724IKLMXHnt+BJd/myRnb/f7XWg6+7KEWIP2C0Gj82lrjak5cBNi/vh PnPHxAw2IGTTPij4N2g82vYEUktfWCA1+iFnVIJw6AG1n/BRWNjjByMcv/RKwhnK J0xzMtVXLVIjiPnVjjsVR6z1kYx6X8cBhpksd7UCgYEAokuu5Pxzr+3C2WnjIbnF Kjj44aBbGXVCbYF8fmH1VlkZdOoT6njByfEFnuxFs5+Yuc4RaWmcp7ThR3jTaT6V v8nnBtJIvkvUzHMaRx2lrnkAXjUT+7jvPEEmmErE1x2ibC32akVeegjbqFodtsX1 uJI3FOky6kOvht4YV1iOzlECgYBh47Uz31R252Li4rOUv5mSjcox5wIdqP37Y+tS Kh9kM44kbe0mGRfwCL1QUShGFvhLU8z9bsfR5XHH2ez+8Me/PA1MFw3yzZzKoPFI 65YS8XxuGBAp/l8SBHSot0hupJ8jHP3yH32SH4960PCDLH8tEQyprkm5deLgqa04 sqpG0QKBgCosnE6SFY8rBakV9E5YM7ug5sGZ/jBGXtxCmRBB0VpiGQIdiS7DyAlC sGX1E9E14G4itq8juxQo1VjqpC6AgbiVAlLpL1NAjlWstYC0coJrZzcH0dxTaEhs DCxCYclWOYBAiSqf/PjR4nwzYjw2wcvXm7W0n+ZcZWxD9qjLkgjT MIIDDzCCAfegAwIBAgIJAIjhDQNZ4I2xMA0GCSqGSIb3DQEBCwUAMB4xHDAaBgNV BAMME09wZXJhdGlvbnNEYXNoYm9hcmQwHhcNMjEwMjIyMTE1ODQ1WhcNMzEwMjIw ... S8kVtQThGaGbexvDlbE6vDmFtwPi5KTroU/T+0vHJ9lwTV1YvWduQ5EsQNlnDcSS GZYv2emdIk3/WcuMV0mqkXjhsw== -----END RSA PRIVATE KEYCERTIFICATE----- Invalid Output:
Invalid output:
Check certificate file formatCode Block language bash unable to load Privatecertificate Key 139695916947264140583261931328:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting: ANYTRUSTED PRIVATE KEY
CERTIFICATE
Make sure the key file is valid:
Code Block language bash openssl x509rsa -inform PEM -in DPOD.cer Valid output:in /etc/httpd/conf/certs/custom_key.pem -check
Valid output:
Code Block language bash RSA key ok writing RSA key -----BEGIN CERTIFICATERSA PRIVATE KEY----- MIIDDzCCAfegAwIBAgIJAIjhDQNZ4I2xMA0GCSqGSIb3DQEBCwUAMB4xHDAaBgNV BAMME09wZXJhdGlvbnNEYXNoYm9hcmQwHhcNMjEwMjIyMTE1ODQ1WhcNMzEwMjIw MTE1ODQ1WjAeMRwwGgYDVQQDDBNPcGVyYXRpb25zRGFzaGJvYXJkMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo88mvSbcYEGfd2dgKwzDmcMIIEowIBAAKCAQEAo88mvSbcYEGfd2dgKwzDmc/ua/FiFfNf +Bi/dw91FtZESBgwWDfgIihvXmEtOdw91FtZESBgw WDfgIihvXmEtO/DmJEfV55xJm0Fk49c5j6DXXtjztsC04o6K /0j/2Muztvxq2kckI+yv+jCrw6LxQN+wft03mHP/R6V/F74rEMc5kdx5X5HFA8Fh qFEH154DLp4MGsvbkU7CEjQw6VMj3M3m1ot/m0RkAgGIs7oH2E58VqJfhps2pqCC fXNVrPSG8pSykKt/ZL1oYr33DQD3zvn68aBpuChwNt8enPqytTJiaJuDD6y9KcRO tLbRi5jWU8HSkqztfxr3ohCGdb61tkwr9Vn969mtqwv8GXsxSyI4IwIDAQABo1Aw TjAdBgNVHQ4EFgQU55Uu4PnL9s1sIY/H25gABo23w8swHwYDVR0jBBgwFoAU55Uu 4PnL9s1sIY/H25gABo23w8swDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC AQEAA1z1KHkxotKGlxNYdz9dKunpMKsRpE6hEzIvEI3ZU+1Is007AHelXBeRidN0 eHqVdcgOPn1EamEXjgqp7weXlPKyKlZGPdRD9hJR1/XvTuPBaJ/rI+NJkPQpfysY hWM32rMXuqQn6UUrPT9N7s+m4ArQmoQu3+ZipgGspQrSKW0xxq0d1n15RiC6UuJo ggKUYB4Gw3lOi6oKxX91NqhkVOzmaM7ok/Z+rOM6X6M2bC2KWN6IYjW688RiJE8j S8kVtQThGaGbexvDlbE6vDmFtwPi5KTroU/T+0vHJ9lwTV1YvWduQ5EsQNlnDcSS GZYv2emdIk3/WcuMV0mqkXjhsw==2Muztvxq2kck ... sGX1E9E14G4itq8juxQo1VjqpC6AgbiVAlLpL1NAjlWstYC0coJrZzcH0dxTaEhs DCxCYclWOYBAiSqf/PjR4nwzYjw2wcvXm7W0n+ZcZWxD9qjLkgjT -----END CERTIFICATERSA PRIVATE KEY----- Invalid Output:
Invalid output:
Code Block language bash unable to load certificatePrivate Key 140583261931328139695916947264:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting: ANY TRUSTEDPRIVATE CERTIFICATEKEY