Managing SSL Certificates

Generating an SSL certificate signed by a Certificate Authority (CA) requires the following actions:

  1. Generate a SAN SSL Certificate Request

  2. Send a public CSR key to CA and obtain a signed CA certificate

  3. Import the Signed SSL Certificate to SecureTrack or SecureChange

Generate a SAN SSL Certificate Request

The Subject Alternative Name (SAN) is an extension of the X.509 specification. The specification allows to specify additional values for a SSL certificate, such as DNS servers, IP address, or email addresses. For a full list of supported values, see RFC 5280.

A SSL certificate with SAN values (SAN certificate) is recommended instead of a regular SSL certificate.

Generate a SAN Certificate

  1. Create a SAN SSL certificate using a Java Keytool script based on the following example:

    /usr/java/tufin_java_home/bin/keytool \
    -keystore server.jks  -storepass protected  -deststoretype pkcs12 \
    -genkeypair -keyalg RSA -validity 395 -keysize 2048  -sigalg SHA256withRSA \
    -dname "CN=myserver.mydomain.com,O=myorganization,OU=myou,L=mylocation,ST=California,C=US" \
    -ext "SAN=IP:10.100.0.1,IP:192.168.0.1,DNS:myserver.mydomain.com,DNS:otherserver.otherdomain.com,EMAIL:[email protected],EMAIL:[email protected]"

    This script requires the following values:

    Subject field:

    • CN - Common Name
    • O - Organization
    • OU - Organizational Unit
    • L - City or Locality
    • ST - State or Province
    • C - Two-letter country code

    In the SubjectAltName field, add the following values (where applicable):

    • IP - List of IP addresses of your server
    • DNS - List of DNS server names
    • EMAIL - List of email addresses

  2. Create a Certificate Signing Request (CSR) with the following script. The CSR will be stored in the file myserver.csr.

    /usr/java/tufin_java_home/bin/keytool \
    -certreq -keystore server.jks -storepass protected \
    -ext "SAN=IP:10.100.0.1,IP:192.168.0.1,DNS:myserver.mydomain.com,DNS:otherserver.otherdomain.com,EMAIL:[email protected],EMAIL:[email protected]" \
    -file myserver.csr

    The ext parameter must have the same value as entered in step 1 above.

  3. Export the certificate private key (in the example below, the key is saved to the file myprivate.key):

    openssl pkcs12 -in server.jks -nodes -nocerts -out myprivate.key

    When prompted, enter the keystore password that you created in step 1 above. In the example above, the password is "protected".

Send a Public CSR Key to CA and Obtain a Signed Certificate

Once you have generated the Certificate Signing Request (CSR), submit the CSR to the Certificate Authority (CA) to obtain a signed certificate according to your company policy. For details, see the requirements and documentation of the relevant Certificate Authority.

The certificate must be PEM encoded, other certificate formats not supported.

You can use your organization's own SSL certificate, signed by your public Certificate Authority (CA), so that SecureTrack or SecureChange presents this certificate to users upon logging in.

Make sure that your SSL certificate does not require a passphrase. For further information, see Removing Passphrase from SSL Certificate

To use a custom SSL certificate:

  1. Copy your certificate (.cert) and private key file (.key) to the SecureTrack host. This procedure will refer to the files as follows:

    certificate (.cert) file: <myfolder>/<mycertificate>.cert
    private key (.key) file: <myfolder>/<myprivate>.key 

  2. Remove any existing soft links to certificate and key files.

    # rm -f /etc/pki/tls/certs/localhost.crt
    # rm -f /etc/pki/tls/private/localhost.key
    rm -f /etc/pki/tls/certs/localhost.crt rm -f /etc/pki/tls/private/localhost.key

  3. Backup any existing certificate and key files.

    # mv /usr/local/st/conf/https.crt /usr/local/st/conf/https-st_orig.crt
    # mv /usr/local/st/conf/https.key /usr/local/st/conf/https-st_orig.key
    mv /usr/local/st/conf/https.crt /usr/local/st/conf/https-st_orig.crt mv /usr/local/st/conf/https.key /usr/local/st/conf/https-st_orig.key

  4. Copy your certificates to the default folder used by TOS. If your system is configured for HA, the certificates will automatically be replicated to the standby server.

    # cp <myfolder>/<mycertificate>.cert /usr/local/st/conf/https.crt
    # cp <myfolder>/<myprivate>.key /usr/local/st/conf/https.key
    cp <myfolder>/<mycertificate>.cert /usr/local/st/conf/https.crt cp <myfolder>/<myprivate>.key /usr/local/st/conf/https.key

  5. Create the soft links to the certificate and key files required by TOS.

    # ln -s /usr/local/st/conf/https.crt /etc/pki/tls/certs/localhost.crt
    # ln -s /usr/local/st/conf/https.key /etc/pki/tls/private/localhost.key
    ln -s /usr/local/st/conf/https.crt /etc/pki/tls/certs/localhost.crt ln -s /usr/local/st/conf/https.key /etc/pki/tls/private/localhost.key

  6. Change ownership and permission of your certificates and the parent directories.

    # chown st:st /usr/local/st/conf/https.{crt,key}
    # chmod 0640 /usr/local/st/conf/https.{crt,key}
    # chown st:st /usr/local/st/conf/
    # chmod 0775 /usr/local/st/conf/
    # chown st:st /usr/local/st/
    # chmod 0775 /usr/local/st/
    chown st:st /usr/local/st/conf/https.{crt,key} chmod 0640 /usr/local/st/conf/https.{crt,key} chown st:st /usr/local/st/conf/ chmod 0775 /usr/local/st/conf/ chown st:st /usr/local/st/ chmod 0775 /usr/local/st/

  7. Verify ownership and permission of your certificates and their parent directories.

    # ls -l /usr/local/st/conf/https.{crt,key}
    -rw-r----- 1 st st 1789 Jan 31 14:19 /usr/local/st/conf/https.crt
    -rw-r----- 1 st st 1704 Jan 31 14:19 /usr/local/st/conf/https.key
    # ls -ld /usr/local/st/conf/
    drwxrwxr-x 2 st st 4096 Jan 31 14:30 /usr/local/st/conf/
    # ls -ld /usr/local/st/
    drwxrwxr-x 30 st st 32768 Jan 31 14:16 /usr/local/st/
    ls -l /usr/local/st/conf/https.{crt,key} ls -ld /usr/local/st/conf/ ls -ld /usr/local/st/

  8. Make sure your DNS is configured so that SecureTrack can reach external servers.

  9. (Optional) To configure the CA-signed SSL certificates in the file /etc/httpd/conf.d/ssl.conf, use the SSLCertificateFile directive (do not use SSLCACertificateFile or SSLCertificateChainFile).

    Create a certificate bundle (https.crt) from a signed server certificate (certificate.cer) and an intermediate CA certificate (intermediate.cer) using the following command:

    cat certificate.cer <(echo) intermediate.cer <(echo) > https.crt

    Copy https.crt to the path specified above and make sure that it has appropriate ownership and permission.

  10. Restart HTTPD:

    # systemctl restart httpd
    systemctl restart httpd