Summary:
By default, the CloudCenter Manager (CCM) appliance has a self-generated client certificate that resolves to example.com. The component of this certificate can be viewed while you are in the browsing session, often directly from the address bar. Since this certificate is self-generated and signed by an unknown provider, it may not be adequate if the CCM is being integrated into an enterprise ecosystem. The goal of this document is to explain the process to replace the default certificate with one that is signed either by a proper Private Key Infrastructure (PKI) or by a trusted public provider. To facilitate the comprehension of the end-to-end process, this document will contain the tasks to create the root certificate from the Certificate Authority (CA) as well as the signed client certificate. Within the appliance, the client SSL certificate is stored in the /usr/local/tomcat/conf/ssl directory and the file that references their usage is /usr/local/tomcat/conf/server.xml.
Create the certificates:
** The certificates generated by the following tasks are adequate only for testing purposes and/or internal usage ** These steps can be taken while logged on to the CCM
Create the certificate for the root CA
- Generate the private key for the root CA
- openssl genrsa -des3 -out root-ca.key 2048
- Determine your own passphrase
- Generate the self-signed certificate for the root CA
- openssl req -new -x509 -days 3650 -key root-ca.key -out root-ca.crt
- Enter the passphrase you used for the private key
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:San Francisco
Organization Name (eg, company) [Default Company Ltd]:My Organization
Organizational Unit Name (eg, section) []:My OrgUnit
Common Name (eg, your name or your server's hostname) []:sandbox.myorgunit.local
Email Address []:admin@myorgunit.local
Create the certificate for the server
- Generate the private key for the server certificate
- openssl genrsa -des3 -out sandbox.key 2048
- Optional - To remove the passphrase, type these commands:
- cp sandbox.key sandbox.key.org
- openssl rsa -in sandbox.key.org -out sandbox.key
- Generate the CSR (Certificate Signing Request)
- openssl req –new –key sandbox.key –out sandbox.csr
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:San Francisco
Organization Name (eg, company) [Default Company Ltd]:My Organization
Organizational Unit Name (eg, section) []:My OrgUnit
Common Name (eg, your name or your server's hostname) []:sandbox.myorgunit.local
Email Address []:admin@myorgunit.local
- Generate a new Self-Signed Certificate by using the root CA key
- openssl x509 –req –in sandbox.csr –CA root-ca.crt –CAkey root-ca.key –CAcreateserial -out sandbox.crt –days 3650
Place the newly created certificate in the proper directory on the CCM
Stop the Tomcat service
Assuming your working directory is /tmp/certificates on the CCM
- cp root-ca.crt sandbox.crt sandbox.key /usr/local/tomcat/conf/ssl
Change to the directory where the files are now stored and change the permissions of the new files
- cd /usr/local/tomcat/conf/ssl
- chown cliqruser:cliqruser root-ca.crt sandbox.crt sandbox.key
Edit the server.xml file to reflect the change in the location of the newly created certificate
Use vi to edit the file
- vi /usr/local/tomcat/conf/server.xml
Find the section starting with <Connector port="10443" maxHttpHeaderSize=“8192” and modify the certificate name
<Connector port="10443" maxHttpHeaderSize="8192"
maxThreads="150"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true"
SSLCertificateFile="${catalina.base}/conf/ssl/sandbox.crt"
SSLCertificateKeyFile="${catalina.base}/conf/ssl/sandbox.key"
compressableMimeType="text/html,text/xml,text/plain,application/javascript,application/json,text/javascript,text/css,application/css,image/x-icon,image/jpeg,image/png,image/svg+xml,application/x-shockwave-flash,application/x-java-jnlp-file,application/zip,application/x-font-ttf,application/x-font-opentype,application/x-font-woff,application/vnd.ms-fontobject" />
Start the Tomcat service