This AppNote describes how to secure web services on an OES server with a ”real” certificate. In this case we use Thawte as the provider.
To accomplish this, you need to create a .csr request from a Linux machine with openssl installed. You will use the openssl command to do this. Then when you get the Certificate from Thawte, you will need to import it into eDirectory. The steps to do that are in this document.
- Linux pc with openssl installed
- Internet Explorer
Creating a .CSR Request on a Linux Machine
To create a csr request on a Linux machine, you will first need to install openssl on it.
1. Start a terminal session in Linux.
2. Create a directory that you will secure / backup. In this case I created a directory in the root’s home, called “cert”.
3. Use the openssl command as follows:
openssl genrsa -des3 -out test-cert.key 1024
This command creates a private key file with a password. Document this password and keep it safe.
You can change the 1024 encryption. I believe eDirectory supports 2048, but this value depends on what system this certificate runs on. If the system you’re protecting doesn’t support 2048, you will have to revoke the certificate and do the whole process again.
Then you have a key file in the cert directory:
linux:~/cert # ls test-cert.key linux:~/cert #
4. Create a .csr request using the following command:
openssl req -new -key test-cert.key -out test-cert.csr
You will need to answer some questions about yourself and the company you’re creating this certificate for.
5. Enter the passphrase for test-cert.key.
6. Enter information that will be incorporated into your certificate request.
What you need to enter is the Distinguished Name (DN). There are quite a few fields here, but you can leave some of them blank. For some fields, there will be a default value. If you enter “.”, the field will be left blank.
Country Name (2 letter code) [AU]:SE
State or Province Name (full name) [Some-State]:Jonkoping
Locality Name (eg, city) :Jonkoping
Organization Name (eg, company) [Internet Widgits Pty Ltd]:NOVELL
Organizational Unit Name (eg, section) :IT-Support
Common Name (eg, YOUR name) :www.novell.se
Email Address :email@example.com
7. Enter the following ‘extra’ attributes to be sent with your certificate request:
- A challenge password :password
- An optional company name :
Important: Note the Common Name (e.g., YOUR name), or :www.novell.se This value is the domain name you decide for the certificate.
After this, you will have two files in the cert directory – the private key and .csr request that you need to send to thwate.
linux:~/cert # ls test-cert.csr test-cert.key linux:~/cert #
8. In this case we use Thawte as the certificate provider, so you will need to go to the thawte web site and buy an SSL web server certificate.
There are a lot of different certificates there; if you have any questions, please contact Thawte. The process is the same, but the certificates and prices are different.
9. When you’re finished sending the .csr request to Thawte, you will receive an e-mail with a link to the certificate.
10. Save this to a file named “test-cert.crt”.
Now you will have 3 files in the directory:
linux:~/cert # ls test-cert.crt test-cert.csr test-cert.key linux:~/cert #
Now it’s time to convert this into pksc 12 format:
11. To convert your separate key and certificate files into a single .p12 file, use the following Openssl command:
sudo openssl pkcs12 -export -out test-cert.p12 -inkey test-cert.key -in test-cert.crt
You will have a file called test-cert.p12 in the directory. Now it’s time to import this certificate into eDirectory.
Importing the Certificate into eDirectory
To import the pkcs12 cert from thawte,
1. Go to the server container, add a new object, and select it.
2. Choose Import for the creation method.
3. Choose the .p12 file you created with openssl commands
4. Enter the password you enterd with the openssl command.
Solving the -1 226 Error
When you click Finish, you will get a PFX File error (-1 226). This error is generated because Novell Certificate Server requires that the entire chain in the certificate be there. Even if you install a trusted root conatiner and put the Thawte CA in there, this error still occurs.
To resolve this, you need to combine the root CA certificate from Thawte and your certificate so Novell Certificate Server can support it.
1. Make sure you have your certificate in .crt format and the CA certificate from Thawte. To download the Thwate root certificate go here: http://www.thawte.com/roots/
2. Know what CA server YOUR certificate has. To find this out, open your .crt file with Ineternet Explorer, and you’ll get something like this:
3. Install the Root CA in IE from Thawte. In this case you need the root CA from the Thawte Premium Server CA.
4. Install YOUR certificate in IE.
5. Export your certificate in IE.
1. Open your .p12 file from Thawte so you can see what root CA your certificate has.
2. Download the root CA frpm Thawte.
3. Install the root CA in IE Put the CA certificate in trusted root container (just double-click the cert and choose to install the certicate).
4. Install YOUR certificate (crt file) in IE.
5. Then export YOUR certificate in IE
Here are the steps in graphic format:
1. To see what Issuer your certificate has, double-click the .crt file.
2. Double-click the root CA object and install it into IE.
3. Do the same with your certificate (the .p12 file you converted). Choose the automatic method, to export the private key.
4. Export your certificate from IE.
a) Go to Tools > Internet Options in IE.
b) Choose Content.
c) Select Certificates to put your certificate in that list.
d) Click the certificate and then Export to choose to export the private key.
5. Important: Choose the option to include all certificates in the chain.
6. Click Next to be prompted for the private key password.
7. Fill in that information and choose where to export the file. This file will have the extension “.pfx”.
This certificate will now be imported into eDirectory, even though you got the error message -1 226 before. This time it will work, because you have the whole certificate path.
Now you need to do the same thing again with Console One.
1. In the server container, add a new object and select NDSPKI:Key Material.
2. Choose to import.
3. Choose the .pfx file you exported with IE.
4. Enter the password you used with the openssl command.
5. Click Finish to add the test certificate into eDirectory.
6. Double-click the certificate in ConsoleOne to see the information (not required, but helpful).
Here is the Public Key:
Now that the certificate has been imported into eDirectory, you can use it with products like Apache Webserver.
Importing a Thawte Certificate in OES Linux
The import process under Linux is different; you don’t use eDirectory to store the certificate. Even so, it is still possible to have your certificate in one place.
In this example we’ll use the certificate in Apache Webserver on OES Linux. You can follow the guide above, except for the part about importing into eDirectory.
You will need to find the .pfx certificate you exported with Internet Explorer and copy it to your Linux machine.
1. Extract the private key with this command:
openssl pkcs12 -in test-cert.pfx -nocerts -out test-cert-private.pem Enter Import Password: MAC verified OK Enter PEM pass phrase: password Verifying - Enter PEM pass phrase: password
1. Extract the public key from the certificate:
openssl pkcs12 -in test-cert.pfx -nocerts -out test-cert-public.pem
2. Remove the passphrase from the private key:
openssl rsa -in test-cert.pem -out test-cert-key.pem
3. Copy these two files to /etc/ssl/servercert.
Thn you need to configure Apache Webserver to use this certificate.
4. Edit /etc/apache2/vhosts.d/vhost-ssl.conf and put in the certificate that you just created:
SSLCertificateFile /etc/ssl/servercerts/cert-public.pem SSLCertificateKeyFile /etc/ssl/servercerts/cert-key.pem