OpenSSL download:

https://www.openssl.org/source/

Why we need it ?

 

-after we finish the configuration between ExpC and ExpE the Zone will not be active until we trust each server to each other by upload the certificate, we can check the zone status from :

Configuration-->Zone-->Zones

 

-Used to make the traffic between the two expressway secure "encrypted"

 

-Each server ExpC and ExpE will contain:

• One CA Certificate
• Multi Certificate

 

We will use openSSL to generate the Certificate between ExpC and ExpE:

 

• When we use OpenSSL will generate "CA Certificate, Certificate, Private Key"
• CA Certificate:
• Act as Server
• create it by OpenSSL no need to any request from our server
• will create just one CA Certificate
• will upload on both server ExpC and ExpE
• Did not depend on the request that generate by ExpC and ExpE

 

• Certificate
• Act as certificate under CA
• that depend on the certificate that you need to create
• if we have two generate request from ExpC and ExpE the result will be two
• ExpC will upload on

 

• Private Key
• Between ExpC and ExpE will use the Generate CSR as private key
• Between ExpE and Public DNS will use the private Key that come from Public DNS

 

Create certificate using OpenSSL configuration:

• generate Certificate from Express way C and E:

Maintenance-->security certificate-->server certificate then click generate

 

 

1. create folder on C:// as OpenSSL , then copy this files inside this folder

"Bin, include, lib, openssl.cnf, openssl_request.cfg"

 

1. open CMD:

Cd ..

Cd..

Cd OpenSSL

 

1. paste this command:

 

mkdir demoCA

cd demoCA

mkdir certs

mkdir newcerts

mkdir private

echo 10 > serial

 

1. create this file on OpenSSL folder inside demoCA folder:

index.txt

 

1. copy "openssl.cnf" from OpenSSL folder to demoCA folder and rename it as "openssl_local.cfg"

 

1. open "openssl_local.cfg" on notepad++ and modify this info:

Under "[ CA_default ]"

 

• Check that "copy_extensions = copy" did not have # at the beginning of the line

 

• Change "policy                = policy_match" to "policy                = policy_anything"

 

• Change "dir                = ./demoCA" TO "dir                = ."

 

• Change "default_days        = 365" to "default_days        = 3650"

 

 

7.   copy files that inside BIN folder to demoCA folder:

• Openssl.exe
• libeay32.dll
• ssleay32.dll

 

1. paste this command on CMD sholude be on this path "C:\OpenSSL\demoCA>":

 

• openssl genrsa -aes256 -out private/cakey.pem 4096

 

• Then enter password "like this PAssword"

 

• Verify password "PAssword"

 

• That will Generate private key for CA

 

1. paste this command on CMD sholude be on this path "C:\OpenSSL\demoCA>":

 

• openssl req -new -x509 -days 3650 -key private/cakey.pem -config openssl_local.cfg -sha1 -extensions v3_ca -out cacert.pem
• Enter password "like this PAssword"
• Country name "JO"
• State "Amman"
• Location "Amman"
• Organization name "DC"
• Organization unit name "IT"
• Common name "DC"
• e-mail address "test@domain.com"

 

• That will       Generate CA certificate
• That will create "cacert.pem" on demoCA, that will be the CA Certificate "will upload to ExpC and ExpE"

 

 

1. Copy the previously generated CSR from ExpC and ExpE to the demoCA folder, and sign it with the command:

 

• Change CSR generate file name for expc.txt to expc.csr and expe.txt to exp.csr

 

• openssl ca -config openssl_local.cfg -cert cacert.pem -keyfile private/cakey.pem -in expc.csr -out certs/expc.pem -md sha1

 

• openssl ca -config openssl_local.cfg -cert cacert.pem -keyfile private/cakey.pem -in expe.csr -out certs/expe.pem -md sha1
• Will generate the new certificate to "newcerts" folder

 

 

11.  Upload the signed certificate to both ExpC and ExpE:

 

• ExpC certificate to ExpC Server

 

• ExpE certificate to ExpE Server

 

• Maintenance > Server certificate > Upload Server Certificate from "newcerts folder"

 

12.  Upload your CA certificate if you are using your self-created OpenSSL CA:

 

• Upload the same CA certificate to both server

 

• Expressway > Trusted CA certificate, choose the cacert.pem and upload. 

 

1. For the private key will use the generate CSR as private key

 

14.  Restart Expressway after certificate installation

 

Note: If you generate different certs with the same common name, you will get the error "openssl failed to update database.  TXT_DB error number 2".  If that is the case, modify your index.txt.attr file, change the unique_subject to no.

 

Now the zone between the server ExpC and ExpE should be active.

Configuration-->zone-->zones

------------------------------------------------------------------------------------------------------------------------------------------------

 

When any user from outside is try to login will get certificate warning, we solve it by get certificate from public DNS like GoDady…

 

Steps:

 

1. Generate certificate CSR from ExpE
2. Send certificate to GoDady
3. We will receive "CA Certificate, Certificate, Private Key"
4. We will upload "CA Certificate, Certificate, Private Key" To ExpE
5. And we must upload the "CA Certificate" to ExpC or the zone between ExpC and ExpE will be not active

I hope this document will help someone.

Regards,

Ahmad Kefaya