Request and install an SSL certificate for Faspex on Linux

Description

In order to secure your Faspex server, you can enable TLS/SSL which requires you to install a signed certificate. You will need to obtain a signed certificate for your server from a trusted Certificate Authority by sending it a certificate signing request (CSR). The resulting signed certificate serves to verify your server's identity to visitors connecting and transferring information with your server.

Follow the instructions below for requesting and installing a certificate for Faspex on Linux.

Environment

  • Product: Faspex
  • Operating System: Linux

Instructions

1. Generate a private key and a Certificate Signing Request (CSR)

We recommend that you perform this work on your Faspex server in the Aspera Apache conf directory:

cd /opt/aspera/common/apache/conf

 

To generate the CSR, follow the steps for Linux from this article (How to generate a Certificate Signing Request).

The results of generating a CSR are two files -- a private key file and a CSR file.
 

You will generally cut-and-paste the CSR into your certificate provider's web site during the certificate request process. The CSR looks like this:

-----BEGIN CERTIFICATE REQUEST-----
MIICsjCCAZoCAQAwbTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
EzARBgNVBAcTCkVtZXJ5dmlsbGUxFTATBgNVBAoTDEFzcGVyYSwgSW5jLjEdMBsG
[...omitted...]
95Um5v44koTnx2TekvgF2je8bt7lpXQfCzjyY24b8e41vRbJkt80KbG9tHBrA5KY
oq8OIB1f+VRIUjr16G9dcNLpwxNrfw==
-----END CERTIFICATE REQUEST-----

You should backup the private key as the certificate you get will be unusable without the corresponding private key.

2. Request a Certificate From a Certificate Provider

Choose a certificate provider. You'll want to get a certificate for securing a web site (not for code signing or any other purpose). After you purchase the certificate, you'll generally be directed via the web or via email to a portal where you can complete the certificate transaction.

In the portal, at some point in the process, you'll need to cut-and-paste the CSR you created in the first step. 

When you submit your request, the administrative contact associated with the domain name in the Common Name will be contacted via email to approve the request. Whoever this person is will have to reply to the email before the certificate provider will issue your certificate. If it appears that the request is not being approved in a timely fashion, contact the certificate provider and they can tell you the email address that they emailed the approval request to. You can then check with that person to get your request approved.

After the request is approved by your administrative contact, you'll get notice that your certificate is approved and available for you to install.

Download the certificate and any other associated certificates or data from your certificate provider. If they give you a choice of format or web server that you want the certificate for, select Apache. Download the items directly to the location where the private key and CSR are located - we recommended the earlier /opt/aspera/common/apache/conf directory on the Faspex server machine.

3. Configure the New Certificate in the Faspex Apache

Most certificates are provided as a specific server certificate, along with a bundle of one or more "intermediate" certificates. We'll assume in this case that we got the certificate from GoDaddy and that GoDaddy provided us a server certificate called faspex.mycompany.com.crt and a bundle of intermediate certificates called gd_bundle.crt. Other certificate providers will typically provide these two items using their own naming convention.

At this point you should have four items:

  1. Original private key (produced at same time as the CSR using openssl req)
  2. Original CSR (produced at same time as the private key using openssl req)
  3. Your newly-issued server certificate (faspex.mycompany.com.crtin our example)
  4. An intermediate certificates bundle (gd_bundle.crt in our example)

We will now update the Apache SSL configuration to point to the private key (#1), the certificate (#3) and the intermediate certificates (#4).

For Faspex 2.6 and earlier, you can do this with the following steps:

  1. Backup the Apache SSL configuration file:
    cp /opt/aspera/common/apache/conf/extra/httpd-ssl.conf /opt/aspera/common/apache/conf/extra/httpd-ssl.conf.orig

  2.  Edit the configuration:
    vi /opt/aspera/common/apache/conf/extra/httpd-ssl.conf
  3. Change the SSLCertificateKeyFile directive to point to the private key file. Make sure the directive is not commented out.
  4. Change the SSLCertificateFile directive to point to the new server certificate. Make sure the directive is not commented out.
  5. Change the SSLCertificateChainFile directive to point to the intermediate certificates bundle. Make sure the directive is not commented out. (this directive in particular has a high likelihood of being commented out).
  6. Save the changed SSL configuration file.
  7. Restart Apache:
    asctl apache:restart 

For Faspex 3.0 and above, the process is simplified due to a new asctl option:

  1. Use the asctl apache:install_ssl_cert command to install the files:
    asctl apache:install_ssl_cert  path-to-cert-file  path-to-key-file  [optional-path-to-intermediate-bundle-file]


    This will copy the specified files to /opt/aspera/common/apache/conf, give them standard Aspera names, fix their file permissions, and update the httpd-ssl.conf file as needed.
     

4. Test Your Newly Installed Certificate

The best way to test that your installation has been properly installed is to simply access your Faspex server over HTTPS. You should see a green or other colored lock icon in the address bar. You can right-click on this lock icon to see more information about the certificate. Basically it should be telling you that the certificate is OK.
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk