Trusted SSL Certificate

From iDENprotect Knowledge Base
Jump to: navigation, search

This article is intended to be used after the idenprotect Core Platform has been installed as part of Post Installation Hardening. If you have not yet installed the idenprotect Core Platform please Start Here for idenprotect Core Platform

Introduction

In order to handle web connections securely, the idenprotect Core Platform must use a valid publicly trusted digital certificate. If no valid certificate has been configured, idenprotect devices will not be able to communicate with the idenprotect Core Platform.


Generating Private Key and CSR

  1. In the server terminal where the idenprotect Core Platform is installed, create a new 2048-bit RSA key using OpenSSL:
    • openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
  2. Change the name of server.key and server.csr to the hostname of idenprotect Core Platform. For example, if the hostname is iden.domain.com, name the files iden.key and iden.csr. This starts the process of generating 2 files: a private key file for decrypting TLS traffic and a CSR (Certificate Signing Request) file
  3. Enter the organisational and geographic information for the certificate
  4. When prompted for the Common Name, enter the fully qualified domain name of the idenprotect Core Platform. For example, iden.domain.com.
  5. Enter an email address for contact information regarding the certificate.


Signing the CSR

Once the CSR file is created, send it to the CA (Certificate Authority) that is to be used for TLS web connection certificates. The reply from the CA typically contains the signed certificate chain in a .pem or .crt file. This file is the public key of idenprotect Core Platform. Store it on the idenprotect Core Platform computer. If an option is given to sign a certificate for a specific web server, select NGINX bundle.

Important: If copy-pasting the CSR file contents, make sure to include all of them. Many CSRs fail because the BEGIN and END lines were not included in the request.

Installing the Certificates - Pre-TLS v1.2

It is strongly recommended that you harden your server to use TLSv1.2 and disable previous versions. The Post Installation Hardening can be found here for more information.


To set up TLSv1.2 for idenprotect Core Platform, the private key and the certificate bundle must be stored on the server and configured in nginx. Without building or adding the certificate bundle, some browsers will not complete certificate validation. This is due to the TLSv1.2 specification requiring the server to provide the certificate chain. The instructions are as follows:

  1. Copy the .key file and the CRT or PEM received from the CA in the /var/certs directory
  2. Edit /etc/nginx/nginx.conf and add the locations for the keys ssl_certificate and ssl_certificate_key
  • ssl_certificate: /var/certs/my_domain_name.pem; (or bundle.crt)
  • ssl_certificate_key: /var/certs/my_domain_name.key;

Nginx-conf.png

  1. Adjust the file names to match the certificate files on your file system.
  2. Restart the nginx web server: systemctl restart nginx

To see if NGINX has started properly run the command

systemctl status nginx -l

Installing the Certificates - Configured to Run TLS v1.2

To set up TLSv1.2 for idenprotect Core Platform, both keys must be stored on the server and configured in nginx:

  1. With the certificates received from the CA, bundle the Root' , Issuing CA and the server host certificate into one file and call it <my_domain_name_bundle>.pem or <my_domain_name_bundle>.pem. Note: Depending on the webserver in use, the ordering of the certificates may cause issues if they are not ordered correctly. With the standad NGINX webserver,the certificate bundle or chain order is Server Host Certificate -> Issuing CA Certificate -> RootCA Certificate. The certificates can be bundled in one file either using a text editor or by using cat in the Linux command line, for example, cat <hostname_cert>.crt <issuing_CA_cert>.crt <Root_CA_cert>crt > bundle.crt
  2. Copy the .key file and the CRT or PEM from the above instrutions /var/certs directory
  3. Edit /etc/nginx/nginx.conf and add the locations for the keys ssl_certificate and ssl_certificate_key
    • ssl_certificate: /var/certs/my_domain_name_bundle.pem; - (Note: a bundle certificate file is mandatory)
    • ssl_certificate_key: /var/certs/my_domain_name.key;
  4. Adjust the file names to match the certificate files on your file system.
  5. Restart the nginx web server: systemctl restart nginx

To see if NGINX has started properly run the command

systemctl status nginx -l

SE Linux Issues

To see if SE Linux is enabled run

sestatus

If you have SE Linux enabled you may see that NGINX has not started correctly and a message related to file permissions. This may be due to the new certificates being in a different security context. Going to the /var/certs folder you can list the details

ls -lrtZ
-r--------. nginx nginx unconfined_u:object_r:var_t:s0   server.domain.key
-r--------. nginx nginx system_u:object_r:httpd_config_t:s0 server.key
-r--------. nginx nginx system_u:object_r:httpd_config_t:s0 server.crt
-r--------. nginx nginx system_u:object_r:httpd_config_t:s0 dhparams.pem
-r--------. nginx nginx system_u:object_r:httpd_config_t:s0 certreq.csr
-r--------. nginx nginx unconfined_u:object_r:var_t:s0   server.domain.chained.crt

The listing shows that the cert and key that have been created have different security contexts

To rectify this run

chcon -v --user system_u --role object_r --type httpd_config_t server.domain.key
changing security context of ‘server.domain.key’
chcon -v --user system_u --role object_r --type httpd_config_t server.domain.chained.crt
changing security context of ‘server.domain.chained.crt’

To confirm the change

ls -lrtZ
-r--------. nginx nginx system_u:object_r:httpd_config_t:s0 server.domain.key
-r--------. nginx nginx system_u:object_r:httpd_config_t:s0 server.key
-r--------. nginx nginx system_u:object_r:httpd_config_t:s0 server.crt
-r--------. nginx nginx system_u:object_r:httpd_config_t:s0 dhparams.pem
-r--------. nginx nginx system_u:object_r:httpd_config_t:s0 certreq.csr
-r--------. nginx nginx system_u:object_r:httpd_config_t:s0 server.domain.chained.crt

Now restart NGINX and it should start without error.

Testing the Certificate

Open a web browser and enter the URL for the idenprotect Core Platform. The browser should not alert to any certificate validation errors.

Depending on the browser, there should be a padlock or similar icon in the address bar, which means that the idenprotect Core Platform now has a trusted certificate for the web site.


Next Steps

If you are in the middle of completing your pre-requisite checks. Please return to Idenprotect Core Platform Prerequisites

If you are ready to complete your installation, please continue following our Idenprotect Core Platform Quick Start Guide or for more detailed instructions, Continue Here