Trusted SSL Certificate
Contents
This article is intended to be used after the idenprotect Core Platform has been installed as part of Post Installation Hardening. If you have not yet installed the idenprotect Core Platform please Start Here for idenprotect Core Platform
Introduction
In order to handle web connections securely, the idenprotect Core Platform must use a valid publicly trusted digital certificate. If no valid certificate has been configured, idenprotect devices will not be able to communicate with the idenprotect Core Platform.
Generating Private Key and CSR
- In the server terminal where the idenprotect Core Platform is installed, create a new 2048-bit RSA key using OpenSSL:
-
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
-
- Change the name of
server.key
andserver.csr
to the hostname of idenprotect Core Platform. For example, if the hostname isiden.domain.com
, name the filesiden.key
andiden.csr
. This starts the process of generating 2 files: a private key file for decrypting TLS traffic and a CSR (Certificate Signing Request) file - Enter the organisational and geographic information for the certificate
- When prompted for the Common Name, enter the fully qualified domain name of the idenprotect Core Platform. For example,
iden.domain.com
. - Enter an email address for contact information regarding the certificate.
Signing the CSR
Once the CSR file is created, send it to the CA (Certificate Authority) that is to be used for TLS web connection certificates. The reply from the CA typically contains the signed certificate chain in a .pem
or .crt
file. This file is the public key of idenprotect Core Platform. Store it on the idenprotect Core Platform computer. If an option is given to sign a certificate for a specific web server, select NGINX bundle.
Important: If copy-pasting the CSR file contents, make sure to include all of them. Many CSRs fail because the BEGIN and END lines were not included in the request.
Installing the Certificates - Pre-TLS v1.2
It is strongly recommended that you harden your server to use TLSv1.2 and disable previous versions. The Post Installation Hardening can be found here for more information.
To set up TLSv1.2 for idenprotect Core Platform, the private key and the certificate bundle must be stored on the server and configured in nginx. Without building or adding the certificate bundle, some browsers will not complete certificate validation. This is due to the TLSv1.2 specification requiring the server to provide the certificate chain. The instructions are as follows:
- Copy the
.key
file and the CRT or PEM received from the CA in the/var/certs
directory - Edit
/etc/nginx/nginx.conf
and add the locations for the keysssl_certificate
andssl_certificate_key
- ssl_certificate: /var/certs/my_domain_name.pem; (or bundle.crt)
- ssl_certificate_key: /var/certs/my_domain_name.key;
- Adjust the file names to match the certificate files on your file system.
- Restart the nginx web server:
systemctl restart nginx
To see if NGINX has started properly run the command
systemctl status nginx -l
Installing the Certificates - Configured to Run TLS v1.2
To set up TLSv1.2 for idenprotect Core Platform, both keys must be stored on the server and configured in nginx:
- With the certificates received from the CA, bundle the Root' , Issuing CA and the server host certificate into one file and call it <my_domain_name_bundle>.pem or <my_domain_name_bundle>.pem. Note: Depending on the webserver in use, the ordering of the certificates may cause issues if they are not ordered correctly. With the standad NGINX webserver,the certificate bundle or chain order is Server Host Certificate -> Issuing CA Certificate -> RootCA Certificate. The certificates can be bundled in one file either using a text editor or by using
cat
in the Linux command line, for example,cat <hostname_cert>.crt <issuing_CA_cert>.crt <Root_CA_cert>crt > bundle.crt
- Copy the
.key
file and the CRT or PEM from the above instrutions/var/certs
directory - Edit
/etc/nginx/nginx.conf
and add the locations for the keysssl_certificate
andssl_certificate_key
-
ssl_certificate: /var/certs/my_domain_name_bundle.pem; - (Note: a bundle certificate file is mandatory)
- ssl_certificate_key: /var/certs/my_domain_name.key;
-
- Adjust the file names to match the certificate files on your file system.
- Restart the nginx web server:
systemctl restart nginx
To see if NGINX has started properly run the command
systemctl status nginx -l
SE Linux Issues
To see if SE Linux is enabled run
sestatus
If you have SE Linux enabled you may see that NGINX has not started correctly and a message related to file permissions. This may be due to the new certificates being in a different security context. Going to the /var/certs folder you can list the details
ls -lrtZ -r--------. nginx nginx unconfined_u:object_r:var_t:s0 server.domain.key -r--------. nginx nginx system_u:object_r:httpd_config_t:s0 server.key -r--------. nginx nginx system_u:object_r:httpd_config_t:s0 server.crt -r--------. nginx nginx system_u:object_r:httpd_config_t:s0 dhparams.pem -r--------. nginx nginx system_u:object_r:httpd_config_t:s0 certreq.csr -r--------. nginx nginx unconfined_u:object_r:var_t:s0 server.domain.chained.crt
The listing shows that the cert and key that have been created have different security contexts
To rectify this run
chcon -v --user system_u --role object_r --type httpd_config_t server.domain.key changing security context of ‘server.domain.key’ chcon -v --user system_u --role object_r --type httpd_config_t server.domain.chained.crt changing security context of ‘server.domain.chained.crt’
To confirm the change
ls -lrtZ -r--------. nginx nginx system_u:object_r:httpd_config_t:s0 server.domain.key -r--------. nginx nginx system_u:object_r:httpd_config_t:s0 server.key -r--------. nginx nginx system_u:object_r:httpd_config_t:s0 server.crt -r--------. nginx nginx system_u:object_r:httpd_config_t:s0 dhparams.pem -r--------. nginx nginx system_u:object_r:httpd_config_t:s0 certreq.csr -r--------. nginx nginx system_u:object_r:httpd_config_t:s0 server.domain.chained.crt
Now restart NGINX and it should start without error.
Testing the Certificate
Open a web browser and enter the URL for the idenprotect Core Platform. The browser should not alert to any certificate validation errors.
Depending on the browser, there should be a padlock or similar icon in the address bar, which means that the idenprotect Core Platform now has a trusted certificate for the web site.
Next Steps
If you are in the middle of completing your pre-requisite checks. Please return to Idenprotect Core Platform Prerequisites
If you are ready to complete your installation, please continue following our Idenprotect Core Platform Quick Start Guide or for more detailed instructions, Continue Here