SSL - nsc-norway/system GitHub Wiki
The first step is to generate a certificate signing request (CSR) and corresponding key. The CSR must be sent to the www-drift group at UiO, via a Nettskjema given below, and the response time is typically a few days.
After receiving the response, the cert must be installed in Clarity.
The server sandbox-lims.sequencing.uio.no is used as an example below. If operating on a different server, the commands should never contain sandbox-lims.sequencing.uio.no. This procedure assumes that you're running all commands locally on the server that you need the certificate for. It is definitely possible to generate the key and certificate somewhere else.
This is described here: http://www.uio.no/english/services/it/security/certificates/ssl.html
Login as root: sudo -i. Go into /root/ssl.
There may already be a ${HOSTNAME}.cnf, otherwise create it according to the spec on the UiO website. If there are any existing files apart from ${HOSTNAME}.cnf, you can move them to an archive location (archive/).
openssl req -new -config ${HOSTNAME}.cnf -keyout ${HOSTNAME}.key -out ${HOSTNAME}.csr
It is not necessary to encrypt the private key like it says in the procedure. You need it in plaintext for the Clarity script later.
Show the CSR:
openssl req -text -noout -verify -in ${HOSTNAME}.csr
You may want to grep for foo, to make sure no UiO example strings remain,
openssl req -text -noout -verify -in ${HOSTNAME}.csr | grep foo # No output containing foo!
Cat the CSR and use the order form: https://nettskjema.uio.no/answer/74868.html (also linked from the documentation above).
Enter contact email: [email protected]
The private key is now stored in root's home directory. Make sure that root's home directory is not readable by "others"; the last three permission bits should be -:
# ls -ld /root
dr-xr-x---. 10 root root 4096 Jan 18 13:27 .
The certificate comes in a zip file, which includes two .crt files, and possibly other files. Both crt files are needed.
Transfer the .crt files to the server which needs the certificates. These are not security-sensitive files. Put them somewhere where your user has write access, e.g. tmp:
scp <path>/*.crt sandbox-lims.sequencing.uio.no:/tmp/
Then move the files into /root/ssl (not technically required).
- View certificate
# openssl x509 -in certificate.crt -text -noout
- Validate certificate chain. intermediate.crt contains an intermediate certificate.
# openssl verify -untrusted intermediate.crt dev-lims_sequencing.uio.no.crt
dev-lims_sequencing.uio.no.crt: OK
Refer to this document on Zendesk for how to install new certs:
[root@doclarity04 ~]# cd /opt/gls/clarity/config/
[root@doclarity04 config]# bash installCertificates.sh
Java KeyTool detected
This script will prompt you to supply the required SSL Certificates for your ClarityLIMS server.
These files include:
- A private key file and signed Certificate file for use by apache.
- Optionally, depending on the organization that signs your Certificate, you may receive a 'Chain' file.
Enter the full path to the SSL Private Key for your server:/tmp/certs/private.key
Enter the full path to the Apache Certificate for your server - This is the Certificate signed by the SSL Vendor or Certificate Authority:/tmp/certs/customer_domain.crt
Enter the full path to the SSL Vendor Chain file:/tmp/certs/intermediate.crt
INFO: Testing Apache
Syntax OK
Apache Proxy is ready
Restart httpd to use the new certificate:
systemctl restart httpd