Akomi SSL Info

Intro

This document is to assist administrators with the purchase and installation of an SSL Certificate for an Akomi system. All Akomi systems ship with a self-signed certificate. While this is fine for internal (Intranet) use, we recommend you replace this with a true certificate as soon as possible either during or after deployment if you intend to use Akomi over the public internet.

Note that NSA has no opinion or preference for which Certificate Signing Authority you choose.

SSL Certificate Generation and Installation

Generate CSR (Certificate Signing Request)

• 1. Log in to your server's terminal (SSH).

  2. At the prompt, type the following command:

  3. openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

  4.  Note: Replace yourdomain with the domain name you're securing. For example, if your domain name is coolexample.com, you would type coolexample.key and coolexample.csr.

  5. Enter the requested information:

     • Common Name: The fully-qualified domain name, or URL, you're securing.

     • If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.coolexample.com.

     • Organization: The legally-registered name for your business. If you are enrolling as an individual, enter the certificate requestor's name.

     • Organization Unit: If applicable, enter the DBA (doing business as) name.

     • City or Locality: Name of the city where your organization is registered/located. Do not abbreviate.

     • State or Province: Name of the state or province where your organization is located. Do not abbreviate.

     • Country: The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered.

     •  Note: If you do not want to enter a password for this SSL, you can leave the Passphrase field blank.

  6. This will output yourdomain.key which you must keep private, and yourdomain.csr. You will deliver yourdomain.csr to the Certificate Signing Authority to generate the properly signed SSL cert.

Installing the Signed SSL Certificate in Apache

• 1. You will receive an SSLCertificateFile and an SSLCertificateChainFile from the Signing Authority.

  2. Copy the Certificate, Key and Chain files to

     1. /etc/httpd/ssl/

  3. Edit the appropriate VirtualHost config file and update the paths to your new certificate files. For example:

• • 1. /etc/httpd/conf.d/ssl.conf

    2. #   Server Certificate:

    3. SSLCertificateFile /etc/httpd/ssl/yourdomain.crt

    4. #   Server Private Key:

    5. SSLCertificateKeyFile /etc/httpd/ssl/yourdomain.key

    6. #   Server Certificate Chain:

    7. SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

• 4. Restart the Apache webserver

• • 1. sudo systemctl restart httpd.service

Installing the Signed SSL Certificate using N2Proxy

• 1. You will receive an SSLCertificateFile and an SSLCertificateChainFile from the Signing Authority.

  2. Copy the Certificate, Key and Chain files to

     1. /etc/httpd/ssl/

  3. Edit the n2proxy config file ( /etc/sysconfig/n2proxy ) and update the paths to your new certificate files. For example:

• • 1. /etc/sysconfig/n2proxy

    2. #   Server Certificate:

    3. CRT=/etc/httpd/ssl/yourdomain.crt

    4. #   Server Private Key:

    5. KEY=/etc/httpd/ssl/yourdomain.key

1. Restart the n2proxy service

   1. • 1. sudo systemctl restart n2proxy

Certbot SSL Setup

As a courtesy, we install scripts to generate and install SSL certificates provided by Let's Encrypt. You need to verify with your IT policies whether or not the certificate issued by "Let's Encrypt Authority X3" meets your company's guidelines. The process to use the automatic certificate generation is outlined below.

• 1. Download certbot-auto: wget https://dl.eff.org/certbot-auto -o /usr/local/sbin/certbot-auto

  2. Install packages and dependencies that will be required to use certbot-auto: yum install nginx python2-certbot-nginx.noarch mod_ssl

  3. Set the script to be executable: chmod +x /usr/local/sbin/certbot-auto

  4. Run certbot-auto and follow the prompts to register/create a certificate for use

  5. You can renew an existing certificate using: certbot-auto renew --force-renewal --cert-name $certificate --nginx-ctl /sbin/nginx --nginx-server-root /etc/nginx

     1. If there is a webserver already installed, you will need to stop is if it listens on port 80, as using this method nginx requires nginx is started listening on port 80. The webserver can be shutdown after the cert is renewed/regenerated.

  6. Verify that the certificates were generated using : certbot-auto certificates