Installing an Apache Server Certificate

After installation, you might want to create a new Apache certificate.

By default, Accelerator generates a temporary self-signed certificate during installation. This certificate is used whenever a browser makes an HTTPS connection to the Apache server. During Accelerator installation, Apache is configured to look for a private key file named $HOSTNAME.key and a certificate named $HOSTNAME.crt. These files are in $DATADIR/apache/conf/ssl.key and $DATADIR/apache/conf/ssl.crt respectively. $DATADIR is the directory where Accelerator data files were installed. On Windows, these files are in C:\ECloud\i686_win32.

Because the certificate is self-signed, browsers complain that it is an untrusted certificate. Most organizations will want to generate a new certificate signed by a recognized certificate authority (CA) to avoid the browser warnings. The following list summarizes the process:

  1. Generate a new certificate and private key

  2. Send the request to the CA

  3. Install the signed certificate

Generating a New Certificate and Private Key

  1. Locate openssl binary and openssl.cnf in $DATADIR/apache/bin/ssl.

  2. Copy openssl.cnf into a temporary directory.

  3. Generate a new private key and certificate.

  4. Enter the appropriate information for your organization when prompted.

The most important field is the Common Name, which is the fully qualified name of the host running the Apache server where you want the certificate. This name must match the host portion of the URL used to connect to the Cluster Manager.

$ openssl req -config openssl.cnf -new -out $HOSTNAME.csrLoading 'screen' into random state - doneGenerating a 1024 bit RSA private key.......++++++.......................................................++++++writing new private key to 'privkey.pem'Enter PEM pass phrase:Verifying - Enter PEM pass phrase:-----You are about to be asked to enter information that will be incorporated into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields, but you can leave some blank.For some fields, there will be a default value, if you enter '.', the field will remain blank.-----Country Name (2 letter code) []:USState or Province Name (full name) []:CaliforniaLocality Name (eg, city) []:SunnyvaleOrganization Name (eg, company) []:CloudBeesOrganizational Unit Name (eg, section) []:Common Name (eg, your websites domain name) []:myserver.mycompany.com
Email Address []:user@mycompany.com
This is the email address the user would contact if there are issues concerning the certificate.
Please enter the following 'extra' attributes to be sent with your certificate request.A challenge password []:

This information generates a new private key in privkey.pem and a signing request in $HOSTNAME.csr.

If you want to use the private key without having to enter a challenge password each time the server starts, issue the following command to strip out the password:

$ openssl rsa -in privkey.pem -out $HOSTNAME.keyEnter pass phrase for privkey.pem:writing RSA key

This creates a PEM encoded private key file named $HOSTNAME.key without the password.

Sending the Request to the CA

The $HOSTNAME.csr file generated in the previous section is a request for a certificate authority to sign the certificate. When you send this file to the CA, the CA verifies the information inside and sends you a signed certificate in response. The signed certificate includes the original certificate and the signature of the CA. Name the signed certificate ' $HOSTNAME.crt '.

Installing the Key and Signed Certificate

  1. Copy the two files, $HOSTNAME.key and $HOSTNAME.crt, into $DATADIR/apache/conf/ssl.key and $DATADIR/apache/conf/ssl.crt.

  2. Restart the Apache server.

Ensure the $HOSTNAME.key file is readable only by the user running the Apache server process.

  1. Delete the contents of the temporary directory you created because this directory contains the cryptographic information used to generate the key.