By default, TufinOS is using a self-signed certificate for authenticating the web server running HTTPS. This is true for SecureTrack Server as well as SecureChange Server. Sometimes it's not wanted to get the warnings in the browser, so an official certificate needs to be used.
It's possible to change the certificate the web server uses. In many cases, it's necessary to generate a Certificate Signing Request (CSR) before the certificate signed by a trustworthy Certificate Authority (CA) can be imported.
Generating a CSR
For importing a valid certificate into the web server running on TufinOS, a Certificate Signing Request (CSR) needs to be generated before. This can be done in several ways. In TufinOS the command openssl is used by the user root. If the system doesn't allow using this account, the command can be executed with elevated permissions using sudo (for sure, this also needs to be configured correctly). The next line shows an example for a CSR being created for the host "hostname":
[root]# openssl req -new -nodes -keyout hostname.key -out hostname.csr -newkey rsa:2048 -sha256
The file hostname.key includes the private key which needs to be protected (!). The other file is hostname.csr which needs to be sent to the CA for singing. Before this, some more details need to be provided:
- Country Name (2 letter code) [AU]:
provide the country code, e.g. DE
- State or Province (full name) [Some-State]:
provide the state, e.g. Bavaria
- Locality Name (eg, city []:
provide the name of the city, e.g. Munich
- Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Provide the name of the company, e.g. AERAsec
- Organization Unit Name (eg, section) []:
provide the unit, e.g. IT Department
- Common Name (eg, YOUR name) []:
provide the exact name including Domain that shall be protected by the certificate.
Important: Only for this name the certificate is valid
- Email Address []:
provide the E-Mail address of the responsible person
The file hostname.csr is going to be sent to the signing CA.
If you need a certificate for more than one host, this command structure is recommended:
[root]# openssl req -new -sha256 -nodes -out \hostname.csr -newkey rsa:2048 -keyout \hostname.key -config <(
cat <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=DE
ST=Bayern
L=Munich
O=AERAsec
OU=IT Department
emailAddress=This email address is being protected from spambots. You need JavaScript enabled to view it.
CN = host1.example.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = host1.example.com
DNS.2 = host2.example.com
EOF
)
Also in this case, the file hostname.csr is going to be sent to the signing CA.
Importing the signed certificate
For a smooth import of a signed certificate (.crt), the use of this certificate should be possible without a password. How to remove it is shown below. Further on, it needs to be guaranteed that external servers are reachable.
To import a certificate, these steps are necessary:
- Copy the certificate file (e.g. hostname.crt) and the matching private key file (e.g. hostname.key) to the server
- Edit the file for SSL configuration (e.g. /etc/httpd/conf.d/ssl_conf):
- Search for Server Privte Key and adapt the following line:
SSLCertificateKeyFile <full path to .key file>
- Search for Server Certificate and adapt the following line:
SSLCertificateFile <fill path to .crt file>
- Save the file
- Restart the web server using the command
[root]# service httpd restart
Removing a password for certificate use
It's possible and sometimes necessary to remove a password from a certificate, e.g. when it's used by a server. To do so, take these steps:
- Use OpenSSL for generating a new certificate that can be used without password. This is done with the command
[root]# openssl rsa -in <path to .key file> -out <path to new .key file>
- Edit the file for SSL configuration (e.g. /etc/httpd/conf.d/ssl_conf):
- Change the line
SSLCertificateKeyFile <full path to .key file>
in
SSLCertificateKeyFile <full path to new .key file>
- Save the file
- Restart the web server using the command
[root]# service httpd restart