Creating new Certificates for Shares on Linux

Description

Shares uses TLS/SSL connections for secure communication between visitors and the server, which requires a signed certificate on your server to work properly. By default the Shares installation creates a self-signed certificate for your server, but you can also to replace it with a certificate signed by a trusted Certificate Authority (CA).

To regenerate self-signed certificates for Shares:

  1. Delete (or move) the old certs:
    rm /opt/aspera/shares/etc/nginx/cert.key
    rm /opt/aspera/shares/etc/nginx/cert.pem
    
  2. Generate new certs:
    /opt/aspera/shares/u/setup/libexec/lib_nginx_create_self_signed_cert
    

To generate new certificates for CA signing:

  1. Generate a private key and a Certificate Signing Request (CSR) We recommend that you perform this work on your Shares server. On A linux Shares server that would be /opt/aspera/shares/etc/nginx/.
    cd /opt/aspera/shares/etc/nginx/
  2. The use openssl req (certificate request utility) to make your private key and a certificate signing request (CSR) for that private key. The CSR will be the thing that you provide to your certificate provider when you request an SSL certificate. The openssl req command will make the private key and the the CSR in one operation as such:
    openssl req -new -newkey rsa:2048 -nodes -keyout cert.key -out cert.csr
  3. You are about to be asked to enter information that will be incorporated into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value,

    The results of this command are two files - a private key file and a CSR file - as such:

    ls -ltr
    total 8
    -rw-r--r-- 1 root root 1679 Mar 30 17:02 cert.key
    -rw-r--r-- 1 root root 1013 Mar 30 17:02 cert.csr
    
  4. You will generally cut-and-paste the CSR into your certificate provider’s (CA) web site during the certificate request process. The CSR looks like this:

    -----BEGIN CERTIFICATE REQUEST-----
    MIICsjCCAZoCAQAwbTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx
    EzARBgNVBAcTCkVtZXJ5dmlsbGUxFTATBgNVBAoTDEFzcGVyYSwgSW5jLjEdMBsG
    [...omitted...]
    95Um5v44koTnx2TekvgF2je8bt7lpXQfCzjyY24b8e41vRbJkt80KbG9tHBrA5KY
    oq8OIB1f+VRIUjr16G9dcNLpwxNrfw==
    -----END CERTIFICATE REQUEST-----
    
  5. You should backup the private key as the certificate you get will be unusable without the corresponding private key.

  6. Once the CA has provided the signed certificate (likely a pem file), this is renamed and placed into the Shares webserver configuration location:

    cp /tmp/ca-signed-cert.pem /opt/aspera/shares/etc/nginx/cert.pem
    

    Note: If you were provided with a bundle of intermediate certificates, you will need to combine them into one .pem file to install in Shares. Use instructions from this Knowledge Base article for combining your certificates into the file, which should then be saved at the location above.

     

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk