Creating a Self-Signed Certificate CS 7.x: Difference between revisions

From support-works
Jump to navigation Jump to search
No edit summary
Line 22: Line 22:
# Open the command prompt and enter the following:
# Open the command prompt and enter the following:
#: '''cd \<core-services-install>\Apache\bin\'''
#: '''cd \<core-services-install>\Apache\bin\'''
#: '''openssl genrsa -des3 -out serverwp.key 2048 -config ..\conf\openssl.cnf'''
#: '''openssl genrsa -des3 -out serverwp.key 2048
# When prompted, enter a passphrase and make a note of it.
# When prompted, enter a passphrase and make a note of it.
# The file server.key will of been generated in the current path
# The file server.key will of been generated in the current path

Revision as of 16:49, 29 June 2023



Status: Published
Version: 1.0
Authors: HTL QA
Applies to: Hornbill Core Services Version 7.0.2

Overview

The self-signed certificate provided by Hornbill should be used as a temporary solution until a valid certified certificate is provided (usually for external sites). It is possible to generate a self-signed certificate for use on the Apache server provided within core services for internal use only. A new Certificate may be required to contain details more relevant to a site or due to a Certificate expiring.

Resolution

Core Services ships with the "OpenSSL" tool used by Apache to implement secure communications using the SSL or TLS protocols and provides a mechanism for generating Private keys and managing Certificates. The tool can generate self-signed certificates for use within the Apache configuration, as detailed in the steps below:

Generating a Private Key

An RSA private key is generated and can be 1024-bit or 2048-bit; we would recommend 2048-bit be used. The tool is located <core-services-install>\Apache\bin\openssl.exe

  1. Open the command prompt and enter the following:
    cd \<core-services-install>\Apache\bin\
    openssl genrsa -des3 -out serverwp.key 2048
  2. When prompted, enter a passphrase and make a note of it.
  3. The file server.key will of been generated in the current path

Generate a Certificate Signing Request (CSR)

A CSR can be used to send off to a Certificate Authority such as Verisign to verify the identity of the requestor and issue a signed certificate; alternatively, generate a self-signed certificate. Some details will be requested to populate the X.509 attributes of the certificate. The following uses SHA-2 when generating the certificate (recommended)

  1. Enter the following at the command prompt:
    openssl req -new -key serverwp.key -sha256 -out server.csr -config ..\conf\openssl.cnf
    When prompted, enter the appropriate details to the X.509 attributes.
    The following is an example:
    Country Name (2 letter code) [AU]:UK
    State or Province Name (full name) [Some-State]:Middlesex
    Locality Name (eg, city) []:Ruislip

    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hornbill Technologies Ltd
    Organizational Unit Name (eg, section) []:Development
    Common Name (e.g. server FQDN or YOUR name) []:supportworks.hornbill.qa
    Email Address[]:[email protected]

    Please enter the following 'extra' attributes to be sent with your certificate request
    A challenge password []:
    An optional company name []:'
  2. The file server.csr created in the current file path, and the CSR can now be used to send to a CA. Alternatively, the CRS can be used to generate a Self-Signed certificate as detailed below:

Generating a Self-Signed Certificate

  1. Enter the following command generates a certificate that is valid for 365 days; modify the number of days as required:
    openssl x509 -req -days 365 -in server.csr -signkey serverwp.key -sha256 -out hslcsdef.crt -config ..\conf\openssl.cnf
  2. When prompted enter the passphrase as noted earlier
    The file hslcsdef.crt is generated in the current path and should be stored securely.

Removing the Private Key password

When the key is applied, the Apache server will require the password (passphrase) to be entered manually each time the server starts. This will be an issue when running Apache as a service as it is not possible to provide the password at startup. To resolve this the password can be removed using the following command. If the generated key is to be used by software such as the Apache Server, it is required to enter the password (passphrase) each time the server starts. There is no mechanism in place to enter the password when Apache is running as a service therefore it is not possible to provide the password at startup.

  1. The following command removes the password from the key:
    openssl rsa -in serverwp.key -out hslcsdef.key -config ..\conf\openssl.cnf
  2. The file hslcsdef.key will of been generated in the current path

IMPORTANT: An unencrypted private key file (hslcsdef.key) must be kept safe and stored securely if the data were to be accessed by a malicious user they can easily access the private key.

Copy both the key and certificate files to the following paths:


hslcsdef.key => <install path>\Core Services\swehttpserver\conf\ssl.key and hslcsdef.crt => <install path>\Core Services\swehttpserver\conf\ssl.crt