Links
Comment on page

SSL Certificates Installation

SSL Certificates for secure communication
CloudFabrix's dimensions platform is enabled with HTTPs (SSL/443) access by default for secure communication and it is installed with self-signed certificates during the deployment. However, for production deployments, it is highly recommended to install CA Signed certificates and the below steps help you to install them appropriately.
cfxDimensions platform uses HA Proxy service for managing UI access, incoming traffic (ex: Alert notifications) securely over HTTPs (SSL/443) protocol, and internal application traffic where applicable.
Below steps to provide how to install CA Signed SSL certificates for HA Proxy service.

SSL Certificate Requirements:

CloudFabrix's dimensions platform's HA Proxy service requires below CA signed SSL certificate files in PEM format.
  • server-ssl-certificate.crt (format: PEM)
  • server-ssl-private.key
  • trusted-ca-intermediate-root.crt (format: PEM)
  • trusted-ca-root.crt (format: PEM)
OR
  • server-ssl-certificate.crt (format: PEM)
  • server-ssl-private.key
  • trusted-ca-intermediate-root.crt & trusted-ca-root.crt chain in a single file (format: PEM)
The SSL server certificate that is obtained should match the DNS / FQDN of the cfxDimensions platform VM's IP address (This is also referred to as Common Name or CN within the certificate). Wildcard domain SSL certificate is also supported. The below screen provides an example of how to check the server's ssl certificate's CN name using openssl command. (In this example, the cfxDimension platform's FQDN is cfx-dimensions.cloudfabrix.io and using a wildcard domain name (CN) SSL certificate)
openssl crl2pkcs7 -nocrl -certfile server-ssl-certificate.crt | openssl pkcs7 -print_certs -noout
Once you have the SSL certificate files as mentioned above, you need to create an SSL certificate chain by grouping them together as a single file in PEM format.
Th below diagram shows a valid CA signed SSL certificate chain flow for reference.
Run the below command to create a valid SSL certificate chain. (supported format is PEM)
cat server-ssl-private.key server-ssl-certificate.crt trusted-ca-intermediate-root.crt trusted-ca-root.crt > cfx-ssl-haproxy.pem
OR
cat server-ssl-private.key server-ssl-certificate.crt trusted-ca-intermediate-and-root-chain.crt > cfx-ssl-haproxy.pem
The final consolidated SSL certificate chain output is saved to 'cfx-ssl-haproxy.pem' file which will be applied to HA Proxy configuration later in this document. The filename used here for reference only.

CA-signed SSL certificate verification:

Note: openssl tool is a pre-requisite for performing SSL certificate validation checks
Step 1: Run the below commands to verify both server's SSL certificate and private key. The output of these two commands should match exactly the same.
openssl x509 -noout -modulus -in server-ssl-certificate.crt | openssl md5
openssl rsa -noout -modulus -in server-ssl-private.key | openssl md5
Step 2: Run the below commands to verify server's SSL certificate, intermediate & root certificate's (chain) date is valid and not expired.
openssl x509 -noout -in server-ssl-certificate.crt -dates
openssl x509 -noout -in trusted-ca-root.crt -dates
openssl x509 -noout -in trusted-ca-intermediate-root.crt -dates
Step 3: Run the below commands to verify the public keys contained in the private key file and the server certificate file are the same. The output of these two commands should match.
openssl x509 -in server-ssl-certificate.crt -noout -pubkey
openssl rsa -in server-ssl-private.key -pubout
Step 4: Run the below command to verify the validity of the certificate chain. The response should come out as 'OK'.
openssl verify -CAfile trusted-ca-root.crt server-ssl-certificate.crt
OR
openssl verify -CAfile trusted-ca-intermediate-and-root-chain.crt server-ssl-certificate.crt
Step 5: Run the below command to see and verify SSL certificate chain order is correct.
openssl crl2pkcs7 -nocrl -certfile cfx-ssl-haproxy.pem | openssl pkcs7 -print_certs -noout
Please refer to the below screenshot on how to validate the SSL certificate chain order.
Verify if the SSL certificate and key is in PEM format
openssl rsa -inform PEM -in server-ssl-private.key
openssl x509 -inform PEM -in server-ssl-certificate.crt

CA-signed SSL Certificate Installation for HA Proxy service:

Step 1: Go to HA Proxy service's certificates path on the cfxDimensions platform machine.
cd /opt/macaw/macaw-platform-<id>/certificates/<cfx-platform-ip>/haproxy
Step 2: Take a backup of the existing HA Proxy service's SSL certificate
cp haproxy.pem haproxy.pem.backup
Step 3: Copy the CA-signed SSL certificate chain file that is in PEM format to this location as 'haproxy.pem'
cp <ssl-cert-path>/cfx-ssl-haproxy.pem haproxy.pem
Step 4: Restart HA Proxy container
docker ps -a | grep haproxy
docker restart <haproxy-container-id>
Step 5: Verify HA Proxy service logs to make sure there are no errors after installing CA signed SSL server certificate chain file.
docker logs -f <haproxy-container-id> --tail 200
Step 6: Run the below 'openssl' command to verify the newly installed SSL certificate and check SSL verification is shown as 'OK' without any validation failures.
openssl s_client -connect <cfx-platform-FQDN>:443
Step 7: Open an internet browser (Firefox / Chrome / Safari) and enter the cfxDimensions Platform's FQDN to access the UI securely over HTTPs (port: 443) protocol.
https://<cfx-platform-fqdn>

Appendix:

SSL Certificate Formats and Conversion:

SSL certificate files come in different formats and most common ones that CA's (Certificate Authorities) deliver include .pfx, .p7b, .pem, .crt, .cer, and .cert. You can get more details about these different certificate formats in the following link:
SSL Certificate file format's explanation If you need to convert the format of your SSL certificate files to PEM, please use the following commands:
  • Convert PFX to PEM
openssl pkcs12 -in server-ssl-certificate.pfx -out server-ssl-certificate.pem -nodes
  • Convert P7B to PEM
openssl pkcs7 -print_certs -in server-ssl-certificate.p7b -out server-ssl-certificate.pem
  • Convert DER to PEM
openssl x509 -inform der -in server-ssl-certificate.cer -out server-ssl-certificate.pem
You can use the following commands to check if your certificate files are already in the required format:
  • Check and verify if your key is in PEM format
openssl rsa -inform PEM -in server-ssl-private.key
  • Check and verify if your certificate is in PEM format
openssl x509 -inform PEM -in server-ssl-certificate.pem

Self Signed SSL Certificate with Custom CA Root:

The truststore or root store is a file that contains the root certificates for Certificate Authorities (CA) that issue SSL certificates such as GoDaddy, Verisign, Network Solutions, Comodo and others. Internet browsers, operating systems and applications include list of authorized SSL certificate authorities within their root store or truststore repository file.
However, many enterprises may use Custom CA root certificates to validate and certify self-signed SSL certificates for internal use. In such scenario, when an application is being accessed through a browser or an SSL client, SSL certificate verification error may be observed. Because, neither the browser nor the SSL client will have the Custom CA root certificate within their root store / truststore repository file and hence, they will fail to recognize the authenticity of the SSL certificate and the issuer (CA) from the application.
In order to resolve this issue, update the client's root store / truststore with the Custom CA root & intermediate root certificates so that they can recognize them as a valid & trusted Certificate Authority (CA). Please refer the client's (internet browser or application) documentation on how to update their root store / truststore with custom CA root certificates.
Note: Please take guidance from your internal security team while using self-signed SSL certificates with Custom CA root certificates.