# Description

You may want to use Certificate Authority (CA) signed certificates for the Node API calls (asperanoded) made to your Aspera web applications or when using HTTP fallback (asperahttpd) for file transfers. By default, Aspera uses self-signed certificates generated by a script.

In order to use CA signed certificates, you will need to obtain the signed certificates from your CA, replace the Aspera default self-signed certificates with them, and configure SSL settings for your server in aspera.conf. You can accomplish this with the following instructions.

### Environment

• Product: Enterprise Server, Connect Server
• Operating System: Windows, Linux, Mac OS X

# Instructions

1. Generate a Certificate Signing Request (CSR) for your server. For detailed instructions on how to do this, see the article How to generate a Certificate Signing Request (CSR).

2. Send the CSR to your CA
Once your CA has reviewed your CSR you will be issued the signed certificate(s).

3. Back up the existing self-signed certificate and private key, which is found in the following locations:
Linux

• /opt/aspera/etc/aspera_server_key.pem
• /opt/aspera/etc/aspera_server_cert.pem

Windows

• C:\Program Files (x86)\Aspera\Enterprise Server\etc\aspera_server_key.pem
• C:\Program Files (x86)\Aspera\Enterprise Server\etc\aspera_server_cert.pem

Mac OS X

• /Library/Aspera/etc/aspera_server_key.pem
• /Library/Aspera/etc/aspera_server_cert.pem

For example, you can back up each file with the following command:

On Linux and Mac OS Xcp /path/to/aspera_server_cert.pem /path/to/aspera_server_cert.pem.bakOn Windowscopy C:\path\to\aspera_server_cert.pem C:\path\to\aspera_server_cert.pem.bak

4. Create a PEM file from your private key and certificate.

You can do this by concatenating the entire body of your private key followed by the signed server certificate into the file, and ending with any intermediate certificates in order of ascending authority. Name the file aspera_server_cert.pem and save it to the location of the original self-signed certificate.

For example, you can do this with the following command:

Note: If your last intermediate file does not include the root certificate (in other words, if the root certificate is in a separate file), you will need to concatenate the root certificate to the end of the file.
On Linux and Mac OS Xcat key_name.key your_server_certificate.crt intermediate_certificate.crt > /path/to/aspera_server_cert.pemOn Windowstype key_name.key your_server_certificate.crt intermediate_certificate.crt > \path\to\aspera_server_cert.pem

You could also paste the contents of the files into a new file with a text editor. Make sure to include the beginning and end tags on each certificate. The result should look like this:

    -----BEGIN RSA PRIVATE KEY-----    (Your Private Key: key_name.key)    -----END RSA PRIVATE KEY-----    -----BEGIN CERTIFICATE----    (Your Primary SSL certificate: your_server_certificate.crt)    -----END CERTIFICATE------    -----BEGIN CERTIFICATE----    (Intermediate certificate)    -----END CERTIFICATE------

5. If you have intermediate certificates, you will also need to create a certificate chain file.

The certificate chain file should be the entire body of your server certificate followed by any intermediate certificates in order of ascending authority. Name the file aspera_server_cert.chain and save it to the same location as aspera_server_cert.pem.

For example, you can do this with the following command:

Note: If your last intermediate file does not include the root certificate (in other words, if the root certificate is in a separate file), you will need to concatenate the root certificate to the end of the file.
On Linux and Mac OS Xcat your_server_certificate.crt intermediate_certificate_1.crt intermediate_certificate_2.crt > /path/to/aspera_server_cert.chainOn Windowstype your_server_certificate.crt intermediate_certificate_1.crt intermediate_certificate_2.crt > \path\to\aspera_server_cert.chain

The contents of the chain file should look like this:

    -----BEGIN CERTIFICATE----    (Your Primary SSL certificate: your_server_certificate.crt)    -----END CERTIFICATE------    -----BEGIN CERTIFICATE----    (Intermediate certificate #1)    -----END CERTIFICATE------    -----BEGIN CERTIFICATE----    (Intermediate certificate #2)    -----END CERTIFICATE------

6. Copy your generated private key to the same location as the original private key, and rename it aspera_server_key.pem.
You can use the following command:

On Linux and Mac OS Xcp /path/to/your_domain_name.key /path/to/aspera_server_key.pemOn Windowscopy C:\path\to\your_domain_name.key C:\path\to\aspera_server_key.pem

7. Restart the service you are applying CA signed certificates for.

#### Aspera Node service (asperanoded)

On Linux, use with the following commands:

sudo /etc/init.d/asperanoded restart

On Mac OS X, use the following commands:

sudo launchctl stop com.aspera.asperanodedsudo launchctl start com.aspera.asperanoded

On Windows, use the following commands:

sc stop asperanodedsc start asperanoded

#### HTTP Fallback (asperahttpd)

On Linux, use the following commands:

/etc/init.d/asperahttpd restart

On Mac OS X, use the following commands:

sudo launchctl stop com.aspera.asperahttpdsudo launchctl start com.aspera.asperahttpd

On Windows, navigate to Control Panel > Administrative Tools > Services. Find Aspera HTTPD on the list and click Restart on the left.

#### Aspera Node service (asperanoded)

For asperanoded you can test that your certificates are working properly using openssl or cURL.

If you're using a certificate signed by a trusted Certificate Authority (for example, Symantec, Comodo, Digicert, and so on), you can use one of the commands below:

# curl -v https://your.hostname.com:9092# openssl s_client -connect your.hostname.com:9092

If you're using a certificate signed by you or your organization, you can use one of the commands below, specifying the path to your certificate PEM file:

# curl -v --cacert /path/to/aspera_server_cert.pem https://your.hostname.com:9092/# openssl s_client -CAfile /path/to/aspera_server_cert.pem -connect your.hostname.com:9092

Without the certificate parameter for the commands, your system will not have the certificates built in to validate the signed server certificate. Browsers meanwhile are able to fetch them as needed for trusted Certificate Authorities and so this occurs automatically.

#### HTTP Fallback (asperahttpd)

For HTTP fallback you can test that your certificates are working properly using openssl or cURL.

If you're using a certificate signed by a trusted Certificate Authority (for example, Symantec, Comodo, Digicert, and so on), you can use one of the commands below:

# curl -v https://your.hostname.com:8443/# openssl s_client -connect your.hostname.com:8443

If you're using a certificate signed by you or your organization, you can use one of the commands below, specifying the path to your certificate PEM file:

# curl -v --cacert /path/to/aspera_server_cert.pem https://your.hostname.com:8443# openssl s_client -CAfile /path/to/aspera_server_cert.pem -connect your.hostname.com:8443

Without the certificate parameter for the commands, your system will not have the certificates built in to validate the signed server certificate. Browsers meanwhile are able to fetch them as needed for trusted Certificate Authorities and so this occurs automatically.

#### How to tell your certificates have been properly installed?

When running the verification commands above, make sure the output lists all your certificates, including the server certificate and any intermediate certificates.

For example, if you installed 3 certificates (1 server cert, 2 intermediate certs), ensure your commands show all 3:

* Server certificate: your.hostname.com* Server certificate: intermediate #1 CA* Server certificate: intermediate #2 CA

If you run the openssl command, ensure the verify return value is 0, which indicates no errors. A value of 1 indicates that there are problems with your certificates.

verify return:0