Search This Blog

Install SSL certificate on Mediaflux server

  1. Generate certificate request and private key. (The private key can be reused to generate new requests for renewing the certificate.)
    • Create a request configuration file named your-domain-name.csr.conf like below:
      [req]
      prompt=no
      default_bits=2048
      encrypt_key=no
      default_md=sha1
      distinguished_name=dn
      # PrintableStrings only
      string_mask=MASK:0002
      x509_extensions=x509_ext
      req_extensions=req_ext
      [dn]
      C=AU
      ST=Your State
      L=Your City
      O=Your Organization
      OU=Your Organisation Unit
      CN=mediaflux.your-domain.org
      [x509_ext]
      subjectAltName=DNS:name1.your-domain.org.au,URI:https://mediaflux.your-domain.org.au/1234/shibboleth,DNS:name2.your-domain.org.au,URI:https://daris.your-domain.org.au/1234/shibboleth
      subjectKeyIdentifier=hash
      [req_ext]
      subjectAltName=DNS:name1.your-domain.org.au,DNS:name2.your-domain.org.au
      
    • Generate certificate request using the command below:
      openssl req -config your-domain-name.csr.conf -new -days 3650 -keyout your-domain-name.key -out your-domain-name.csr
      
      You should now have the generated private key file: your-domain-name.key and request file: your-domain-name.csr. Keep the private key file in safe for future certificate renewal requests.
  2. Submit the generated your-domain-name.csr file to be signed by CA (You only need to sumit the csr file.) And you should get CA signed certificate: your-domain-name.crt
  3. Install the CA signed certificate:
    • Convert private key to .p8 format:
      openssl pkcs8 -topk8 -inform PEM -outform DER -nocrypt -in your-domain-name.key -out your-domain-name.key.p8
      You only need to do this once and keep the your-domain-name.key.p8 file together with your-domain-name.key for future certificate installations.
    • Install the CA signed certificate using the command below in Aterm:
      server.certificate.identity.import :in file:/path/to/your-domain-name.key.p8 :in file:/path/to/your-domain-name.crt :replacement true
      
      It should return the imported certificate identity entry. Remember the id of the identity to be used in the next step.
    • Set default certificate alias the the newly installed certificate identity (assume its id is 2):
      server.property.set :property -name server.default.certificate.alias 2

No comments:

Post a Comment