In order to secure your Faspex server, you can enable TLS/SSL which requires you to install a signed certificate. You will need to obtain a signed certificate for your server from a trusted Certificate Authority by sending it a certificate signing request (CSR). The resulting signed certificate serves to verify your server's identity to visitors connecting and transferring information with your server.
Follow the instructions below for requesting and installing a certificate for Faspex on Linux.
1. Generate a private key and a Certificate Signing Request (CSR)
We recommend that you perform this work on your Faspex server in the Aspera Apache conf directory:
To generate the CSR, follow the steps for Linux from this article (How to generate a Certificate Signing Request).
You will generally cut-and-paste the CSR into your certificate provider's web site during the certificate request process. The CSR looks like this:
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
You should backup the private key as the certificate you get will be unusable without the corresponding private key.
2. Request a Certificate From a Certificate Provider
Choose a certificate provider. You'll want to get a certificate for securing a web site (not for code signing or any other purpose). After you purchase the certificate, you'll generally be directed via the web or via email to a portal where you can complete the certificate transaction.
In the portal, at some point in the process, you'll need to cut-and-paste the CSR you created in the first step.
When you submit your request, the administrative contact associated with the domain name in the Common Name will be contacted via email to approve the request. Whoever this person is will have to reply to the email before the certificate provider will issue your certificate. If it appears that the request is not being approved in a timely fashion, contact the certificate provider and they can tell you the email address that they emailed the approval request to. You can then check with that person to get your request approved.
After the request is approved by your administrative contact, you'll get notice that your certificate is approved and available for you to install.
Download the certificate and any other associated certificates or data from your certificate provider. If they give you a choice of format or web server that you want the certificate for, select Apache. Download the items directly to the location where the private key and CSR are located - we recommended the earlier /opt/aspera/common/apache/conf directory on the Faspex server machine.
3. Configure the New Certificate in the Faspex Apache
Most certificates are provided as a specific server certificate, along with a bundle of one or more "intermediate" certificates. We'll assume in this case that we got the certificate from GoDaddy and that GoDaddy provided us a server certificate called faspex.mycompany.com.crt and a bundle of intermediate certificates called gd_bundle.crt. Other certificate providers will typically provide these two items using their own naming convention.
At this point you should have four items:
- Original private key (produced at same time as the CSR using openssl req)
- Original CSR (produced at same time as the private key using openssl req)
- Your newly-issued server certificate (faspex.mycompany.com.crtin our example)
- An intermediate certificates bundle (gd_bundle.crt in our example)
We will now update the Apache SSL configuration to point to the private key (#1), the certificate (#3) and the intermediate certificates (#4).
For Faspex 2.6 and earlier, you can do this with the following steps:
- Backup the Apache SSL configuration file:
cp /opt/aspera/common/apache/conf/extra/httpd-ssl.conf /opt/aspera/common/apache/conf/extra/httpd-ssl.conf.orig
- Edit the configuration:
- Change the SSLCertificateKeyFile directive to point to the private key file. Make sure the directive is not commented out.
- Change the SSLCertificateFile directive to point to the new server certificate. Make sure the directive is not commented out.
- Change the SSLCertificateChainFile directive to point to the intermediate certificates bundle. Make sure the directive is not commented out. (this directive in particular has a high likelihood of being commented out).
- Save the changed SSL configuration file.
- Restart Apache:
For Faspex 3.0 and above, the process is simplified due to a new asctl option:
- Use the asctl apache:install_ssl_cert command to install the files:
asctl apache:install_ssl_cert path-to-cert-file path-to-key-file [optional-path-to-intermediate-bundle-file]
This will copy the specified files to /opt/aspera/common/apache/conf, give them standard Aspera names, fix their file permissions, and update the httpd-ssl.conf file as needed.