banner



Home  ›  How To Install Cer Certificate In Linux

How To Install Cer Certificate In Linux

Written By Sunday, March 13, 2022 Add Comment Edit

Install a CA-signed SSL certificate with OpenSSL

  1. Last updated
  2. Save as PDF

Overview

Every Code42 server includes a self-signed document to support secure https connections. That certificate enables encryption of client-server communications, just information technology cannot fairly identify your server and protect your clients from counterfeiters. This article describes how to configure a more than secure pick: using OpenSSL to create an SSL/TLS certificate signed by a trusted certificate authority (CA).

Other manufactures describe other tools for creating a CA-signed certificate:

  • The KeyStore Explorer provides a graphical user interface for managing certificates and keystores.
  • Windows administrators typically use the Java keytool.

Server security requires a CA-signed document and the TLS protocol
Reliable security of any production web server requires an SSL document signed past a trusted certificate authority (CA) and enforced use of the TLS protocol (that is, HTTPS, not HTTP).

Your on-premises Code42 authority server is no exception. A Code42 server that is configured to use a signed certificate, strict TLS validation, and strict security headers protects server communications with browsers, your Code42 apps, and other servers.

  • By default, your authority server uses a self-signed certificate and TLS. That provides for encrypting client-server traffic.
  • Calculation a CA-signed certificate provides further security by confirming your server's identity to clients. It prevents attackers from acquiring customer data through counterfeit servers and encryption keys.
  • Never reconfigure a production server to utilise HTTP, rather than TLS and HTTPS.
  • Configuring Code42 servers and apps to utilize strict TLS validation farther ensures the security of customer-server connections.
  • Configuring Code42 servers to apply an HTTPS Strict Send Security (HSTS) response header farther prevents unencrypted browser access to Code42 consoles.

Earlier you begin

Keys and SSL certificates on the web

A Code42 server uses the same kinds of keys and certificates, in the same means, as other spider web servers. This article assumes you are familiar with public-cardinal cryptography and certificates. See the Terminology section below for more concepts included in this article.

Getting a signed certificate from a CA tin take as long as a week. Therefore, creating a keystore from scratch using this process includes a suspension while you wait to receive the signed certificate from your CA.

Keys and certificates in the Code42 environment

  • This commodity is for administrators running Code42 servers on Linux systems.
  • This commodity describes use of two command-line tools: OpenSSL and Java keytool. OpenSSL is built into most Linux distributions. Java keytool installs equally office of a system's Java Runtime Engine (JRE). If neither is nowadays, do the following:
    • Mac:
      Download and install OpenSSL.
      Download and install a JRE from Oracle's web site.
    • Linux: Issue these commands:
      sudo apt-become install openssl
      sudo apt-go install default-jre

    Build your keystore on whatsoever automobile
    You can generate keys and build keystores on any secure machine so import the result, a *.jks file, to your authority server via the Code42 console. You exercise non need any further access to the authorisation server's host motorcar.

  • A Code42 server requires keys and certificates wrapped in a Java keystore file.
  • Once you have a signed keystore, you sign in to your Code42 console and import the keystore for your Code42 server'due south use. Importing requires the Administrator or SYSADMIN office.
  • Importing a keystore requires briefly stopping and restarting your Code42 server. Consider stopping and restarting your Code42 server during depression-traffic hours.
  • If y'all import a certificate and key with exceptionally strong encryption, first configure your Code42 server to accept longer keys.

Keys and certificates in your organization

Consult your security or web administrators to learn nigh your organization's existing keys, certificates, and keystores. Determine whether y'all will:

  • Generate a new keystore and get a new CA-signed certificate for information technology.
    In this case, find the address of the CA your organisation uses.
  • Import existing keys, certificates, or keystore for your Code42 server's domain.

Existing materials must include Subject Alternative Name (SAN)
Certificates and keystores built to an older standard may lack the Discipline Alternative Name (SAN) extension. Most browsers now distrust such certificates. If your existing certificates and keystores don't take the SAN extension, start over with a new certificate signing request.

Demand help?
Assistance creating a keystore or handling a document signing request (CSR) are across the scope of Customer Champions. For farther assistance, contact your Customer Success Manager (CSM) to engage the Code42 Professional person Services team.

Terminology

These instructions employ the following terms:

  • Key: A unique string of characters that provides essential input to a mathematical process for encrypting information.
  • Key Pair: A public encryption primal and a private encryption key, in a matched fix.
  • Public Key: Allows a sender (customer or server) to encrypt a message for a specific recipient (server or client). When your server sends a browser its public key, the browser tin can encrypt letters that simply your server can read, because merely your server has the matching private key.
  • Self-Signed Certificate: A file that contains a public key and identifies who owns that key and its corresponding individual key.
  • CA-Signed Certificate: A certificate potency (CA) electronically signs a certificate to affirm that a public key belongs to the owner named in the document. Someone receiving a signed certificate can verify that the signature does belong to the CA, and determine whether anyone tampered with the document after the CA signed information technology.
  • Certificate Concatenation: Ane signed certificate affirms that the fastened public fundamental belongs to its owner. A second signed certificate affirms the trustworthiness of the first signer, a tertiary affirms the second, and then on. The top of the concatenation is a cocky-signed but widely trusted root document.
  • Root Certificate: A certificate trusted to end a certificate chain. Operating systems and web browsers typically have a built-in set of trusted root certificates. When your server sends a chain of certificates and ane of them matches one of a browser's trusted root certificates, then the browser trusts your server. When the browser encrypts data with your public key, the browser is assured that only your server can read it.
  • Keystore: A file that holds a combination of keys and certificates.
  • Formats: These instructions read and write files in the following formats:
  • PKCS: A binary file format typically associated with Windows systems. Typical file names are *.pkcs, *.p12, *.p7b, *.pfx
  • Java Keystore: A binary file format for use by Java applications (like the Code42 server). Typical file names are .keystore and *.jks
  • PEM: An ASCII text file that holds keys, certificates, or both. PEM files are common on Linux systems and Apache. Typical file extensions are *.pem, *.fundamental, *.csr, *.cert

    To identify a PEM file, open up it with a panel or text editor. If yous see ASCII text, information technology's a PEM file.

PEM File With ASCII Text

Create a keystore

Create a keystore using one of the following options:

  • Selection 1: Create a cardinal, go a CA to sign it, then build a keystore.
  • Option 2: Recombine existing keys and certificates into a new keystore.
  • Option three: Convert an existing PKCS12 keystore to a Java keystore.

Option 1: Create and certify a new fundamental

Step 1: Generate a key pair and a signing request

Create a PEM format private primal and a asking for a CA to certify your public key.

  1. Create a configuration file openssl.cnf like the case below:
    • Or make sure your existing openssl.cnf includes the subjectAltName extension.
    • Supervene upon <your.domain.com> with the complete domain name of your Code42 server. 
[ req ] default_bits       = 4096 distinguished_name = req_distinguished_name req_extensions     = req_ext  [ req_distinguished_name ] countryName         = Country Proper name (two-letter code) stateOrProvinceName = Land or Province Name (full name)  localityName        = Locality (due east.g. city name) organizationName    = Organization (e.one thousand. company name) commonName          = Common Name (your.domain.com)  [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = <your.domain.com>
  1. Issue the command below, with ii substitutions:
    • <your.domain.com>: the consummate domain name of your Code42 server.
    • <path>: the file path for your openssl.cnf file.
openssl req -new -keyout <your.domain.com>.key -out <your.domain.com>.csr -nodes -newkey rsa:4096 -config <path>/openssl.cnf
  1. Reply the prompts for identifying information.
    At Common Name, you must supply the domain name of the Code42 server you want to secure.
    Virtually CAs require values for the other fields as well.     
Generating a 4096 bit RSA private primal ............................................+++ ............................................+++ writing new private cardinal to '<your.domain.com>.key' ----- You are near to be asked to enter data that will exist incorporated into your certificate request. What you are near to enter is what is called a Distinguished Proper name or a DN. In that location are quite a few fields but y'all tin leave some blank For some fields there will be a default value, If you lot enter '.', the field volition be left blank. ----- Land Name (2 letter code) [AU]:Us State or Province Name (full name) [Some-State]:MN Locality Proper name (eg, city) []:Mnpls Organization Name (eg, company) [Default Org.]:Case Organizational Unit of measurement Name (eg, department) []:9                    Mutual Name (e.g. server FQDN or YOUR proper noun) []:<your.domain.com>                    Email Accost []:<cert-admin@your.domain.com> Please enter the following 'extra' attributes to be sent with your certificate request A claiming password []:<countersign> An optional visitor proper noun []:Case Inc.
  1. Look for two files in the current directory: <your.domain.com>.key and <your.domain.com>.csr
  2. Confirm that a cat <filename> control displays ASCII text.
    If the 2 files from Footstep 3 exist and the command displays ASCII text, the control succeeded. 
cat <your.domain.com>.csr -----BEGIN Document Request----- MIIDAzCCAesCAQAwgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNTjEOMAwGA1UE BwwFTW5wbHMxDzANBgNVBAoMBkNvZGU0MjELMAkGA1UECwwCSVgxGzAZBgNVBAMM ... EmV4YW1wbGUuZG9tYWluLmNvbTEmMCQGCSqGSIb3DQEJARYXbmFtZUBleGFtcGxl QITwVRVRp817TQLFS9o8pdu4iUcxpsiNdn58ZeNNUJjOgmZDxtpQPiL1sv0QuxUo YgKjmS+0yw== -----Cease Document REQUEST-----

Step 2: Asking a CA-signed document

  1. Submit the file <your.domain.com>.csr to your CA.
    • Details vary from ane CA to another. Typically, you lot submit your request via a website, then the CA contacts you to verify your identity.
    • CAs can transport signed reply files in a diversity of formats, and CAs use a variety of names for those formats. You desire the CA's reply in PEM format, the format for a Linux system, for an Apache server.
    • Ask the CA what intermediate certificates you need and where to get them. One or more intermediate certificates are often, but not always, necessary to complete the chain of trust between your CA and a root CA trusted spider web browsers.
  2. Wait (usually days or a calendar week) for the CA's answer.

Pace 3: Import the CA's respond

  1. When you lot take the CA's reply file and intermediate certificate, combine them into a single PKCS keystore.
    The reply and certificate files must exist in PEM format. If you can open them with a text editor and see ASCII characters, they are PEM.

  2. Re-create the files from the CA's reply to the directory of the .central and .csr files from Step 1.

  3. Run the post-obit commands from that directory.
    If you have multiple intermediate certificates, combine them in any order.

  4. Use the following command, with these substitutions:
    <midfile.1.cert.pem> and <midfile.2.cert.pem>: the names of intermediate certificate files.
true cat <midfile.one.cert.pem> <midfile.ii.cert.pem> > intermediates.cert.pem
  1. Create the keystore.p12 file. Use the control below, with these substitutions:
    • <CAreply> : The proper name of the CA reply file.
    • <your.domain.com> : The consummate domain name of your Code42 server.
    • <intermediates.cert.pem> : The file of intermediate certificates. Not all CA replies require intermediates.
    • When the command prompts for the consign password, provide at least half dozen characters.
openssl pkcs12 -export -in <CAreply> -inkey <your.domain.com>.key    -certfile <intermediates.cert.pem> -name "<your.domain.com>"    -out <your.domain.com>.p12
  1. Convert your keystore.p12 to a Coffee keystore.jks. Use the control beneath, with these substitutions:
    • <your.domain.com> : The aforementioned domain name as in the command above.
    • <youruserid>: The ID of the Linux user you used to sign in.
    • When the control prompts for source and destination keystore passwords, provide the aforementioned password that yous used for the previous control.
sudo keytool -importkeystore    -srckeystore <your.domain.com>.p12 -srcstoretype PKCS12    -destkeystore <your.domain.com>.jks
  1. If the command succeeds, it returns this message: 
Import command completed: i entries successfully imported, 0 entries failed or cancelled [Storing <your.domain.com>.jks]
  1. Gear up your ownership of the keystore file.
sudo chown <youruserid>:<youruserid> <your.domain.com>.jks
  1. Proceed to configuring your Code42 server to utilise the keystore.

If the commands fail, you see messages similar the following, for instance:

Error opening certificates from certfile <filename>: The command cannot find the file.

unable to load certificates: In that location is some fault in a document file.

Option 2: Recombine existing PEM keys and certificates

If you have an existing private key and certificates for your Code42 server's domain, in PEM format, combine them into a PKCS keystore, then catechumen the PKCS keystore into a Java keystore.

  1. Effect the two commands below, with these substitutions:
    • <existing.cert.pem>: The existing signed certificate file that matches your existing private primal.
    • <existing.key.pem>: The existing individual cardinal file.
    • <intermediate.cert.pem>: The existing intermediate certificates that consummate the concatenation from your document to a root CA.
    • <your.domain.com> : The complete domain proper noun of your Code42 server.
    • <youruserid>: The ID of the Linux user you used to sign in.
    • Both commands will prompt you for passwords to the source and destination keystores.
openssl pkcs12 -consign -in <existing.cert.pem> -inkey <existing.key.pem>    -certfile <intermediate.cert.pem> -name "<your.domain.com>"    -out <your.domain.com>.p12  keytool -importkeystore     -srckeystore <your.domain.com>.p12 -srcstoretype PKCS12    -destkeystore <your.domain.com>.jks
  1. Set your ownership of the keystore file.
sudo chown <youruserid>:<youruserid> <your.domain.com>.jks

Option 3: Convert an existing pkcs12 keystore

If you have an existing PKCS keystore for your Code42 server's domain, convert information technology to a Java keystore.

  1. Utilize the command beneath, with these substitutions:
    • <your.domain.com.p12> : The existing PKCS file.
    • <your.domain.com> : The complete domain name of your Code42 server.
    • <youruserid>: The ID of the Linux user you used to sign in.
    • The command volition prompt you for passwords for the source and destination keystores.
keytool -importkeystore     -srckeystore <your.domain.com.p12> -srcstoretype PKCS12    -destkeystore <your.domain.com>.jks
  1. Gear up your ownership of the Java keystore file.
sudo chown <youruserid>:<youruserid> <your.domain.com>.jks

Configure your Code42 server to employ your keystore

Footstep 1: Support your Code42 server's database

Every bit a best do, dorsum up your Code42 server's database:

  1. Open up the Code42 panel.
  2. Navigate to Settings > Server.
  3. From the action menu, select Dump Database.

Footstep 2: Set up a test server

Code42 strongly recommends trying out your keystore on a test server before moving it into production, as errors in a keystore tin completely lock upwardly a server.

  1. Sign in to Linux test system or virtual car.
  2. Edit that system'south hosts file to provide the same domain proper noun as your production Code42 server.
    1. Open /etc/hosts with a text editor:
      sudo nano /etc/hosts
    2. Insert or change a line so that it begins with the test server's IP address followed past your Code42 server's domain proper name.
    3. Exit and save:
      control-X y return

Edit hosts file

  1. Install a Code42 server.
  2. Sign in to the Code42 console at:
    https://<your.domain.com>:4285
  3. At Settings > Server > Full general > Website protocol, host and port, provide the aforementioned address:
    https://<your.domain.com>:4285.
  4. Press Relieve.

Footstep 3: Import your keystore to your Code42 server

  1. In the Code42 console, select Settings > Security > Keys.
  2. At SSL, check Crave SSL to access console.
  3. Click Import Keystore.
  4. Select your keystore file, <your.domain.com.jks>, and provide <yourpassword>.
  5. Render to the Linux command line and cease and restart the Code42 server:
    sudo /opt/proserver/bin/proserver stop
    sudo /opt/proserver/bin/proserver commencement
  6. Give the server several minutes to start up, so return the browser to the Code42 console sign in page:
    https://<your.domain.com>:4285
  7. If the keystore import succeeds, your browser will show a secure connection icon padlock green means secure browser connection rather than an exception alarm.
    Indicators vary past browser.

Web Browser Secure Connection

  1. If the keystore import succeeds on your test server, repeat these Pace 3 instructions on your production Code42 server.

Troubleshooting

  • If your test Code42 server fails to offset after installing the new keystore, uninstall and reinstall the server.
  • If your production Code42 server fails to outset after installing the new keystore, see Recover your Code42 server to a previous state.
  • Most problems with SSL certificates are related to key creation, signing, and conversion. Nosotros recommend that you:
    • Carefully repeat the process described above.
    • Check that your certificate and keystore files include the Subject Alternative Proper noun (SAN) extension.
      Catechumen your keystore or document to text, equally described below. Look for
      X509v3 Subject Alternative Name
    • Consult with your CA to make certain you accept the correct intermediate certificates.
    • Consult documentation for the tool you're using:
      • OpenSSL
      • Java keytool
      • KeyStore Explorer
  • For additional help, contact your Customer Success Director (CSM).

Automatically-generated self-signed certificates

Keys are kept in a keystore. Your authority servers or storage servers use the keys in the keystore to securely procedure transactions.

If a Code42 server cannot find keys, information technology searches for keystores with the following precedence:

  1. The keystore in the database, uploaded in the Code42 panel or by API. (To upload the keys in the Code42 console, navigate toAssistants > Settings > Security > Keys.)
  2. The keystore location on the server as configured by thec42.https.keystore.default organization holding. To verify the location, enter the post-obit prop.bear witness command in the Code42 console command-line interface (CLI): prop.bear witness c42.https.keystore.default

If for some reason your Code42 servers cannot locate the keys in these locations, they generate a self-signed certificate to ensure uninterrupted performance of your Code42 environment. The automatically-generated self-signed document should only exist used temporarily while you troubleshoot keystore issues. Code42 strongly recommends using a CA-signed certificate for product environments.

Convert certificates and keystores to text files

Certificate and keystore files are in binary or base64 formats. You lot can make them easier to read by converting files to PEM format and then converting PEM files to text, as follows:

  • Java keystore to PKCS 
    keytool -importkeystore -srckeystore <filename>.jks -destkeystore <filename>.p12 -srcstoretype jks -deststoretype pkcs12
  • PKCS to PEM 
    openssl pkcs12 -in <filename>.p12 -out <filename>.crt
  • PEM certificate to text 
    openssl x509 -text -in <filename>.crt > <filename>.crt.txt
  • PEM CSR to text (certificate signing request) 
    openssl req -text -noout -in <filename>.csr > <filename>.csr.txt

A certificate in readable text

Certificate:     Information:         Version: three (0x2)         Serial Number: 4096 (0x1000)     Signature Algorithm: sha256WithRSAEncryption         Issuer: C = US, ST = MN, O = CAsOrg, OU = CAsUnit, CN = CAsName                      The issuer is the CA who signed the certificate.                      Validity             Not Earlier: Aug 15 thirteen:50:25 2022 GMT             Not Afterward : Aug xv 13:50:25 2022 GMT                      This certificate's expiration date.                      Subject: C = United states, ST = MN, L = YourTown, O = YourOrg, OU = YourUnit, CN = yourdomain.tld,             emailAddress = you lot@yourcompany.tld                      Subject: You and the website this certificate validates.                      Subject Public Primal Info:                      Your public primal. Clients apply it to encrypt messages.                      Public Key Algorithm: rsaEncryption                  Public-Cardinal: (2048 scrap)                 Modulus:                     00:aa:a4:de:e3:e3:d4:b9:f3:3d:1c:1e:b7:1b:69:                     4f:5b:22:08:4b:75:81:54:91:8f:63:57:a8:0e:bd:                     ...                     ab:a3:21:3f:c4:28:1c:9a:4e:e4:f0:81:a2:ab:73:                     b3:83                 Exponent: 65537 (0x10001)         X509v3 extensions:             X509v3 Bailiwick Culling Proper name:                      Most browsers require the SAN extension.                      DNS:yourdomain.tld             X509v3 Basic Constraints:                 CA:FALSE             Netscape Cert Type:                 SSL Server             Netscape Comment:                 OpenSSL Generated Server Certificate             X509v3 Subject area Key Identifier:                 12:E8:E1:E5:65:57:BB:2A:1C:CC:E3:61:E8:5C:79:34:CF:DD:E3:B1             X509v3 Authority Key Identifier:                 keyid:F3:16:90:68:9A:B2:85:40:A8:1D:F3:2D:78:B2:6D:4E:82:0C:B0:32                 DirName:/CN=Vera/OU=Vera/O=VeraCA/L=Roseville/ST=MN/C=Us                 serial:10:00             X509v3 Key Usage: critical                 Digital Signature, Key Encipherment             X509v3 Extended Key Usage:                 TLS Web Server Hallmark     Signature Algorithm: sha256WithRSAEncryption          29:52:6f:5a:de:26:44:50:advertizement:e3:33:7b:8d:ba:2e:b5:cb:d9:          35:21:75:0c:6b:ea:e0:f4:d0:e3:72:8e:5d:9e:3b:02:bf:8f:          ...          81:45:8f:1f:71:45:xiii:0a:ec:f1:0c:70:30:f2:6f:73:cd:5c:          55:41:b6:b6:0a:fc:fb:c9 -----BEGIN Certificate----- MIIFpTCCA42gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UEBhMCVVMx CzAJBgNVBAgMAk1OMRUwEwYDVQQKDAxQaGlsTm9yY3Jvc3MxDTALBgNVBAsMBFZl ... BeWBceJRAcqt2XtY/6HteHUxpxCbSPVcEZWw6dkrM4FFjx9xRRMK7PEMcDDyb3PN XFVBtrYK/PvJ -----END Certificate-----

Source: https://support.code42.com/CP/Admin/On-premises/6/Configuring/Use_OpenSSL_to_install_a_keystore

Posted by: flowerslitty1953.blogspot.com

0 Response to "How To Install Cer Certificate In Linux"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel