VisibleThread uses Apache openSSL to provide SSL security of all traffic to the server.
A self signed certificate is installed on the server by default. When using Internet Explorer to access VisibleThread, users will receive a warning because the certificate installed on VisibleThread is a self signed certificate.
It is possible to purchase a certificate and install it on the VisibleThread appliance.
The details for how to obtain and install a certificate differ depending on who is the signing authority for the certificate. Your company may already use a particular signing authority to generate certificates, or may have the ability to generate their own certificates.
In general the following steps would be followed:
1. Generate a Certificate Signing Request
A Certificate Signing Request must be created to make an application for a new certificate. To create a CSR follow these steps:
Log on to the VisibleThread virtual appliance console
- To generate a pair of private key and public Certificate Signing Request (CSR) for a web server, "server", use the following command :
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out myserver.csr
Where 'myserver' is your domain or server name.
This creates two files. The file myserver.key contains a private key; do not disclose this file to anyone. Carefully protect the private key.
In particular, be sure to backup the private key, as there is no means to recover it should it be lost. The private key is used as input in the command to generate a Certificate Signing Request (CSR).
You will now be asked to enter details to be entered into your CSR:
Country Name: Use the two-letter code without punctuation for country, for example: US or CA.
- State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: California
- Locality or City: The Locality field is the city or town name, for example: Berkeley. Do not abbreviate. For example: Saint Louis, not St. Louis
- Company: If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corportation.
- Organizational Unit: This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on your keyboard.
- Common Name: The Common Name is the Host + Domain Name. It looks like “www.company.com” or “company.com”. For wildcard certificate the syntax should look like *.company.com. Certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain “domain.com” will receive a warning if accessing a site named “secure.domain.com”, because “secure.domain.com” is different from “domain.com”.
Do not enter a challenge password when generating a CSR.
- Use the name of the web server as Common Name (CN). If the domain name (Common Name) is mydomain.com append the domain to the hostname (use the fully qualified domain name).
- Your CSR will now have been created.
- A public/private key pair has now been created. The private key (myserver.key) is stored locally on the server machine and is used for decryption. The public portion, in the form of a Certificate Signing Request (myserver.csr), will be for certificate enrollment
- We recommend that you backup your private key file to a safe location.
2. Apply for a certificate for your sever
Apply to your ceritificate issuing authority for a certificate for your server. You will need the CSR generated in the steps above during this process. The exact steps required to obtain a certificate differ for each authority. You can use secure ftp (SFTP) to copy the CSR from the VisibleThread appliance (see http://support.visiblethread.com/entries/23470636-Accessing-the-VisibleThread-Virtual-Appliance-using-Secure-FTP for details)..
3. Install the certificate on the VisibleThread appliance
The exact steps required to install the certificate will vary depending on the certificate issuing authority, however a loose guideline is listed below.
Save the certificate and any other files provided with the certificate (e.g. key chain files) in the "/home/visiblethread/cert" directory on the VisibleThread virtual appliance. You can use secure FTP (SFTP) to upload any files to the VisibleThread Virtual Appliance (see http://support.visiblethread.com/entries/23470636-Accessing-the-VisibleThread-Virtual-Appliance-using-Secure-FTP for details).
- If you have been issued with a pkcs7certificate file (file extension is .p7b) then you need to run this command to convert the .p7b file to an x509 format certificate (required by Apache)
openssl pkcs7 -print_certs -in certificate.p7b -out server.crt
- Modify the "/etc/apache2/sites-enabled/000-default" file to refer to the public key file, certificate file and other files provided with the certificate.
sudo pico /etc/apache2/sites-enabled/000-default.confYou will need to enter the password for the visiblethread user
- The relevant section to change is listed below.
SSLCertificateFile /home/visiblethread/cert/server.crt SSLCertificateKeyFile /home/visiblethread/cert/server.key
- Save the changes to the file by typing 'Ctrl-o' and exit the editor by typing 'Ctrl-x'
Restart Apache by typing: "sudo service apache2 restart"