Networking/Certficates

From popdata
Jump to: navigation, search

Commercial Certificates

Need to clean up but see:

https://wiki.popdata.bc.ca/popdata/Services/Web


Popdata has a wildcard certificate for *.popdata.bc.ca. This means the one certificate covers any name under popdata.bc.ca. Multiple certificates can be generated for various servers and services without any additional charge. These can be administrated at:

https://www.digicert.com/custsupport/

  • login
  • under View/Collect Orders choose Order 00129904 (only choice) and go
  • you can then reissue certificates or Get a Duplicate which allows you to enter a new signing request and get a new certificate.

Information to be entered when generating the signing request:

  • Organisation: University of British Columbia
  • Organisational Unit: Population Data B.C.
  • Country: Canada
  • Province: British Columbia
  • City: Vancouver
  • Common Name or Server Name: this is the name of the new server, but will be overwritten by *.popdata.bc.ca

Creating new Popdata certificates

Helpful commands

  • see inside a request:
openssl req -in ldap-req.pem -noout -text
  • see inside a certificate
openssl x509 -text -in cert.pem

To create a certifcate for info.phlo.ubc.ca:

  • login to cabot and create request
cd /usr/local/CA
openssl req -new -nodes -out info-req.pem -config ./openssl.cnf
mv privkey.pem info-key.pem
openssl ca -out info-cert-tmp.pem -config ./openssl.cnf -infiles info-req.pem
(enter passphrase)
openssl x509 -in info-cert-tmp.pem -out info-cert.pem
rm info-cert-tmp.pem
  • You now have info-cert.pem and info-key.pem which can be put in /etc/apache2/ssl
  • In the apache config file in /etc/apache2/sites-available add the lines:
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/info-cert.pem
    SSLCertificateKeyFile /etc/apache2/ssl/info-key.pem

To create a certificate request for a commercial cert for apache:

  • login to cabot
cd /usr/local/CA
openssl req -new -nodes -keyout secure.key -out secure.csr


Adding a commercial certificate for zimbra

  • login to verrazzano as user zimbra
  • create a keystore (password zimbra for keystore, no key password
keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/zimbra/ssl/ssl/commercial.keystore
  • create certificate request
keytool -certreq -keyalg RSA -alias tomcat -file /opt/zimbra/ssl/ssl/commercial.csr -keystore /opt/zimbra/ssl/ssl/commercial.keystore
  • go to certificate provider website and use /opt/zimbra/ssl/ssl/commercial.csr to get a certificate (www.positivessl.com)
  • back up everything
cd /opt/zimbra/conf
cp -a * ~jim/conf-20071024
cp /opt/zimbra/tomcat/conf/keystore ~jim/conf-20071024
  • add newly acquired key to keystore
keytool -import -alias tomcat -keystore /opt/zimbra/ssl/ssl/commercial.keystore -trustcacerts -file mail_phlo.crt -storepass zimbra
  • copy it into tomcat and set password in config
cp /opt/zimbra/ssl/ssl/commercial.keystore /opt/zimbra/tomcat/conf/keystore
zmlocalconfig  --edit tomcat_keystore_password=zimbra
tomcat restart
  • get key so we can reuse for other services
wget http://mark.foster.cc/pub/java/ExportPriv.java
/home/opt/zimbra/jdk1.6.0_02/bin/javac ExportPriv.java
/home/opt/zimbra/jdk1.6.0_02/bin/java ExportPriv /opt/zimbra/ssl/ssl/commercial.keystore tomcat zimbra > mail_phlo.key
openssl rsa -in mail_phlo.key -out mail_phlo.key.dec
  • put the chain certs together with the new cert
cat mail_phlo_ubc_ca.crt PositiveSSLCA.crt UTNAddTrustServerCA.crt AddTrustExternalCARoot.crt >> mail_phlo.crt
  • copy everything to the right location and set perms (as root)
cp mail_phlo.crt /opt/zimbra/conf
cp mail_phlo.key.dec /opt/zimbra/conf/mail_phlo.key
cd /opt/zimbra/conf
rm  smtpd.crt smtpd.key slapd.crt slapd.key perdition.pem perdition.key
chmod 444 mail_phlo.crt
chmod 400 mail_phlo.key
chown zimbra:zimbra mail_phlo.crt
chown zimbra:zimbra mail_phlo.key
ln -s mail_phlo.crt smtpd.crt
ln -s mail_phlo.key smtpd.key
ln -s mail_phlo.crt slapd.crt
ln -s mail_phlo.key slapd.key
ln -s mail_phlo.crt perdition.pem 
ln -s mail_phlo.key perdition.key
  • restart everything (as zimbra)
zmcontrol stop
zmcontrol start
zmcontrol status

Prepare certs for Cisco firewall

  • combine the certificates
openssl pkcs12 -export -in popdata2015-cert.pem -inkey popdata2015-key.pem -certfile popdata2015-chain.pem -out popdata-cisco2.p12
  • Enter a password, remember it.
  • Then on the java gui firewall config go to: Remote Access VPN->Certificate Management->Identity Certificates->Add
  • give the password and file created above. (no exclamation points in password)
  • go to: Anyconnect Connection Profiles -> Device Certificate
  • change to Trustpoint created above