TLS Security

You have two options for obtaining a certificate and key. The self-signed certificate is quicker and easier to set up but may trigger browser warnings that users must accept each time they visit the site. Alternatively, a Certificate Authority (CA)-signed certificate requires more setup steps but ensures full browser trust. For more details on the differences between these options, refer to Difference between Self-Signed and CA-Signed Certificates.

CA Signed Certificates

Request your certificates from your organization's certificate provider. Make sure to use the correct Common Name (CN) for your environment. In a load-balanced setup, you should typically include the CN of the load balancer and the CNs of each member as Subject Alternative Names (SANs). Before proceeding with the certificate installation, ensure you have the Certificate Authority (CA) chain, server key, and certificate. Additionally, verify that your Linux system has the CA certificate installed in the default trust store.

Check Trust Store for CA Certificate

To verify if your CA certificate is installed in the default trust store, you can check the extracted certificates directory. Use the following command, replacing CA_NAME with the Common Name (CN) of your CA certificate:

grep -i "CA_NAME" /etc/pki/ca-trust/extracted/pem/*

Load CA Certificate into Truststore

If your CA certificate is missing from the default trust store, you can manually add it by following these steps:

1. Copy the CA Certificate to the Trust Store Directory:

   First, copy the .crt file for your CA certificate to the anchors directory in the trust store.

   sudo cp /path/to/your/CA.crt /etc/pki/ca-trust/source/anchors/

2. Update the Trust Store:

   After copying the CA certificate, you need to update the system’s trust store to include the new certificate.

   sudo update-ca-trust extract

3. Verify the CA Certificate is Loaded:

   To confirm that the CA certificate has been successfully added, check the list of trusted certificates:

   sudo update-ca-trust list

CA Self-Signed Certificates

Follow these steps to create a self-signed Certificate Authority (CA), server key, and server certificate. A self-signed CA can be used for securing communication in your environment. It is important to use the same CA across all servers in your environment to ensure trust and avoid certificate errors.

Create a directory to store you certificates and keys, ie: /opt/ISS/config/selfsigned-certs. Run the commands below from this directory.

Note: Root user privileges are required for some of the steps. Ensure you are either logged in as the root user or use sudo for commands that need elevated permissions.

Generate the Root Private Key

This key will be used to sign the server certificates. Run the following command to generate the private key for the CA:

openssl genpkey -algorithm RSA -out ca.key -aes256

This command generates a 2048-bit RSA private key and protects it with AES-256 encryption.

Create the Root Certificate

Now, create the self-signed root certificate. This certificate will identify your CA.

openssl req -key ca.key -new -x509 -out ca.crt -days 3650

This command will ask you to enter details like country, state, and organization. Ensure that the Common Name (CN) you choose here is descriptive of your CA.

Important: Use the same CA certificate (ca.crt) across all servers in your environment to establish a chain of trust.

Create the Server Private Key

The server key is used to encrypt and sign communications between clients and servers. To generate a server private key:

openssl genpkey -algorithm RSA -out server.key -aes256

This generates a private key for the server.

Create the Server Certificate Signing Request (CSR)

The CSR is what you send to the CA to get your server certificate signed. In this step, you will include Subject Alternative Names (SANs) for the domains or IP addresses that should be associated with the server certificate.

Create a configuration file to specify the SANs:

nano san.cnf

In the san.cnf file, add the following:

[req]
distinguished_name = req_distinguished_name
req_extensions     = v3_req

[req_distinguished_name]
countryName         = GB
stateOrProvinceName = Cheshire
localityName        = Manchester
organizationName    = MyCompany
commonName          = your.server.com

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = your.server.com
DNS.2 = another.server.com
DNS.3 = 192.168.1.1

Replace the domain names (your.server.com, another.server.com, etc.) and IP addresses with the appropriate values for your environment.

Now, generate the CSR using the following command:

openssl req -new -key server.key -out server.csr -config san.cnf

This will generate the server CSR with the specified SANs.

Sign the Server Certificate with the CA

Use your root CA to sign the server certificate and generate the .crt file. This certificate will allow the server to be trusted by clients within your environment.

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.pem -days 3650 -extensions v3_req -extfile san.cnf

This command signs the server’s CSR with your root CA, creating the server certificate (server.pem). The -extensions v3_req flag ensures that the SANs are included in the certificate.

Verify the Server Certificate

To verify that the server certificate was generated correctly and includes the SANs, use the following command:

openssl x509 -in server.crt -text -noout

This will display details about the server certificate, including the SANs section. You should see your SAN entries listed under X509v3 Subject Alternative Name.

Once you have created the CA and server certificates, distribute the CA certificate (ca.crt) to all the servers that need to trust this CA. This ensures that all servers in your environment can securely communicate with each other.

---

For any updates or clarifications, please contact the support team.