Shares uses TLS/SSL connections for secure communication between visitors and the server, which requires a signed certificate on your server to work properly. By default the Shares installation creates a self-signed certificate for your server, but you can also to replace it with a certificate signed by a trusted Certificate Authority (CA).
To regenerate self-signed certificates for Shares:
- Delete (or move) the old certs:
rm /opt/aspera/shares/etc/nginx/cert.key rm /opt/aspera/shares/etc/nginx/cert.pem
- Generate new certs:
To generate new certificates for CA signing:
- Generate a private key and a Certificate Signing Request (CSR) We recommend that you perform this work on your Shares server. On A linux Shares server that would be
- The use
openssl req(certificate request utility) to make your private key and a certificate signing request (CSR) for that private key. The CSR will be the thing that you provide to your certificate provider when you request an SSL certificate. The openssl req command will make the private key and the the CSR in one operation as such:
openssl req -new -newkey rsa:2048 -nodes -keyout cert.key -out cert.csr
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value,
The results of this command are two files - a private key file and a CSR file - as such:
ls -ltr total 8 -rw-r--r-- 1 root root 1679 Mar 30 17:02 cert.key -rw-r--r-- 1 root root 1013 Mar 30 17:02 cert.csr
You will generally cut-and-paste the CSR into your certificate provider’s (CA) web site during the certificate request process. The CSR looks like this:
-----BEGIN CERTIFICATE REQUEST----- MIICsjCCAZoCAQAwbTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx EzARBgNVBAcTCkVtZXJ5dmlsbGUxFTATBgNVBAoTDEFzcGVyYSwgSW5jLjEdMBsG [...omitted...] 95Um5v44koTnx2TekvgF2je8bt7lpXQfCzjyY24b8e41vRbJkt80KbG9tHBrA5KY oq8OIB1f+VRIUjr16G9dcNLpwxNrfw== -----END CERTIFICATE REQUEST-----
You should backup the private key as the certificate you get will be unusable without the corresponding private key.
Once the CA has provided the signed certificate (likely a
pemfile), this is renamed and placed into the Shares webserver configuration location:
cp /tmp/ca-signed-cert.pem /opt/aspera/shares/etc/nginx/cert.pem