Tuesday, August 10, 2010

How to implement SSL on Resin 4.0.8

Blog Has Moved

Link to the same post in the new blog: How to implement SSL on Resin 4.0.8

Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Resin Professional 4.0.8 on RHEL 5.4

1. Login to the server using Root account.
2. Change permissions on the keys folder:
chmod 640 /usr/local/resin/keys
3. Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /usr/local/resin/keys/server.key 1024
Specify a complex pass phrase for the private key (and document it)
4. Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/resin/keys/server.key -out /tmp/resin.csr
Note: The command above should be written as one line.
5. Send the file /tmp/resin.csr to a Certificate Authority server.
6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as "server.crt"
7. Copy the file "server.crt" using SCP into /usr/local/resin/keys/
8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
9. Copy the file "ca-bundle.crt" using SCP into /usr/local/resin/keys/
10. Edit using VI, the file /usr/local/resin/conf/resin.xml and replace the section bellow from:
<!-- SSL port configuration: -->
<http address="*" port="8443">
<jsse-ssl self-signed-certificate-name="resin@localhost"/>
</http>
To:
<http address="Server_DNS_Name" port="443">
<openssl>
<certificate-key-file>/usr/local/resin/keys/server.key</certificate-key-file>
<certificate-file>/usr/local/resin/keys/server.crt</certificate-file>
<certificate-chain-file>/usr/local/resin/keys/ca-bundle.crt</certificate-chain-file>
<password>my-password</password>
</openssl>
</http>

Note: Replace “my-password” with the password for the “server.key” file.
11. Restart the Resin services:
/etc/init.d/resin restart
12. Backup the file /usr/local/resin/keys/server.key

Labels: , ,

6 Comments:

At August 19, 2010 at 9:06 PM , Blogger Arthur said...

Hey Eyal,
Thank you for the detailed explanation. I have a question about step 8. Can you please give me your email so I can send you my question.

Thank you.

 
At August 20, 2010 at 8:04 AM , Blogger Eyal Estrin said...

How may I help you ?

 
At August 20, 2010 at 8:40 PM , Blogger Arthur said...

Hey Eyal,
my question is how do you create the CERTIFICATE-CHAIN-FILE. I understand you have to put 3 files together, first is public.crt, second is intermediateCA.crt (the key file that you get from VERISIGN).. what is the third file you have to include?

and what is the order of putting them together into one file.


Thanks for you help.

 
At August 21, 2010 at 10:25 PM , Blogger Eyal Estrin said...

Arthur hello,
When working with commercial CA such as VeriSign, if you need to have both Root and Intermediate CA certificates bundled, the commercial CA will supply it for you in the email you receive from the commercial CA.
If you purchased a certificate from VeriSign, I would check the link bellow (though your link may change according to the CA server who signed your certificate):
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657&actp=LIST&viewlocale=en_US

If you are working with internal CA server, and your chain contains Root CA and intermediate CA, I would use the command bellow:
cat /usr/local/resin/keys/RootCA.crt /usr/local/resin/keys/IntermediateCA.crt > /usr/local/resin/keys/ca-bundle.crt

You don't need to chain the server public key file (server.crt) to this chain, since Resin has its own value for the server public key, called certificate-file, and another one for the CA certificate chain file, called certificate-chain-file.

 
At August 24, 2010 at 11:23 PM , Blogger Arthur said...

Shalom Eyal,
I have another question. At my current company we have our website configured with ssl certificates. Our ssl certificates through VeriSign.

Now when you generate the CSR from the private key by typing

openssl req -new –key /usr/local/apache/conf/keys/private.key > verisign.csr

it will ask you for few questions, one of the questions is: COMMON NAME which is FQDN (for example www.test.com)

now our website runs on old servers, we are setting up new servers and my manager wants me to get new SSL certificates for new servers.

When I run the above command for the new servers, what do I specify for the COMMON NAME question? Will it still be the www.test.com?

Eventually for some time the old web server and new web server will be up.. since some pages will be pointing to old server and some will be pointing to new servers.

My question is: what do I specify for FQDN question when configuring ssl certificates on new servers? Will it cause any confusion on VeriSign?

Thank you for your help. Toda

 
At August 25, 2010 at 1:25 AM , Blogger Eyal Estrin said...

Arthur,
1. Since all servers have the same web site, all SSL certificates must be the same - for example www.test.com
2. If you put your new servers with the same SSL certificate of www.test.com everything will be transparent for the end users.
3. Unless your SSL certificate on your old servers is about to expire in the near future, you don't need to purchase new certificate - simply copy the server.key file and the CA chain file into the new web servers.

 

Post a Comment

Subscribe to Post Comments [Atom]

<< Home