Versions Compared

Old Version 21

changes.mady.by.user Amit Munwes

Saved on

compared with

New Version Current

changes.mady.by.user Amit Munwes

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Make sure you have the custom certificate and key files provided in .pem format. If the key file is encrypted, make sure to also have the key passphrase in a .txt file.
    Use the following file names:

    Code Block
    custom_cer.pem
custom_key.pem
custom_key_passphrase.txt      (optional)

  2. In a Cell Environment, perform all the steps on the cell manager only.

  3. Log in to DPOD's server using SSH.

  4. Copy the custom certificate file, the custom key file and optionally the custom key passphrase file to /etc/httpd/conf/certs.

  5. Generate a new Diffie-Hellman (DH) Group for a more secured TLS session and append the new DH group parameters file to the custom certificate:

    Code Block
    languagebash
    openssl dhparam -out /etc/httpd/conf/certs/custom_dhparams.pem 2048

    Append the new DH group parameters file to the new certificate:

    Code Block
    languagebash
    
cat /etc/httpd/conf/certs/custom_dhparams.pem >> /etc/httpd/conf/certs/custom_cer.pem

    See an example of the concatenated certificate file below:

    Code Block
    -----BEGIN CERTIFICATE-----
MIIDDzCCAfegAwIBAgIJAIjhDQNZ4I2xMA0GCSqGSIb3DQEBCwUAMB4xHDAaBgNV
BAMME09wZXJhdGlvbnNEYXNoYm9hcmQwHhcNMjEwMjIyMTE1ODQ1WhcNMzEwMjIw
...
S8kVtQThGaGbexvDlbE6vDmFtwPi5KTroU/T+0vHJ9lwTV1YvWduQ5EsQNlnDcSS
GZYv2emdIk3/WcuMV0mqkXjhsw==
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA+SfHDxWo0BRXc/BxfJHZVkHtk16RmBHHiKv5HDOuhl1raZIEbJ2H
8e5Q0GVCxe30F7Cr66Wfx4jaHVQqkZ+YxuWLqDlHWUYeGPwXXdMXQtuQpPmfSbaT
...
NhJHSMvkQrEiX7RHZVZVZ8ovwC9IzID5m2UgmDQ8/TgiBA9WyngswBFSglNvP9dK
pb23nP4rDQ7sL307eponbeL/BsNUE4BeqwIBAg==
-----END DH PARAMETERS-----

  6. Execute the following commands:

    Code Block
    languagebash
    sed -i 's#^SSLCertificateFile .*#SSLCertificateFile "/etc/httpd/conf/certs/custom_cer.pem"#g' /etc/httpd/conf/httpd.conf
sed -i 's#^SSLCertificateKeyFile .*#SSLCertificateKeyFile "/etc/httpd/conf/certs/custom_key.pem"#g' /etc/httpd/conf/httpd.conf

  7. If the key file is encrypted, create a script named custom_key_passphrase.sh:

    Code Block
    vi /etc/httpd/conf/certs/custom_key_passphrase.sh

    with the following content:

    Code Block
    #!/bin/sh
cat /etc/httpd/conf/certs/custom_key_passphrase.txt

    and execute the following commands:

    Code Block
    chmod +x /etc/httpd/conf/certs/custom_key_passphrase.sh
sed -i "/^SSLPassPhraseDialog /d" /etc/httpd/conf/httpd.conf
sed -i '/^SSLCertificateKeyFile /a SSLPassPhraseDialog exec:/etc/httpd/conf/certs/custom_key_passphrase.sh' /etc/httpd/conf/httpd.conf

  8. Run a syntax check on the httpd configuration file to make sure the configuration is valid:

    Code Block
    languagebash
    apachectl -t

    Valid output:

    Code Block
    languagebash
    Syntax OK

    Invalid output:

    Code Block
    AH00526: Syntax error on line 541 of /etc/httpd/conf/httpd.conf:
SSLCertificateFile: file '/etc/httpd/conf/certs/custom_cer.pem' does not exist or is empty

  9. Restart the web server:

    Code Block
    languagebash
    service httpd restart

...