SSL Certificates Installation

SSL Certificates for secure communication

CloudFabrix's dimensions platform is enabled with HTTPs (SSL/443) access by default for secure communication and it is installed with self-signed certificates during the deployment. However, for production deployments, it is highly recommended to install CA Signed certificates and the below steps help you to install them appropriately.

cfxDimensions platform uses HA Proxy service for managing UI access, incoming traffic (ex: Alert notifications) securely over HTTPs (SSL/443) protocol, and internal application traffic where applicable.

Below steps to provide how to install CA Signed SSL certificates for HA Proxy service.

SSL Certificate Requirements:

CloudFabrix's dimensions platform's HA Proxy service requires below CA signed SSL certificate files in PEM format.

  • server-ssl-certificate.crt (format: PEM)

  • server-ssl-private.key

  • trusted-ca-intermediate-root.crt (format: PEM)

  • trusted-ca-root.crt (format: PEM)

OR

  • server-ssl-certificate.crt (format: PEM)

  • server-ssl-private.key

  • trusted-ca-intermediate-root.crt & trusted-ca-root.crt chain in a single file (format: PEM)

The SSL server certificate that is obtained should match the DNS / FQDN of the cfxDimensions platform VM's IP address (This is also referred to as Common Name or CN within the certificate). Wildcard domain SSL certificate is also supported. The below screen provides an example of how to check the server's ssl certificate's CN name using openssl command. (In this example, the cfxDimension platform's FQDN is cfx-dimensions.cloudfabrix.io and using a wildcard domain name (CN) SSL certificate)

openssl crl2pkcs7 -nocrl -certfile server-ssl-certificate.crt | openssl pkcs7 -print_certs -noout

Once you have the SSL certificate files as mentioned above, you need to create an SSL certificate chain by grouping them together as a single file in PEM format.

Th below diagram shows a valid CA signed SSL certificate chain flow for reference.

Run the below command to create a valid SSL certificate chain. (supported format is PEM)

cat server-ssl-private.key server-ssl-certificate.crt trusted-ca-intermediate-root.crt trusted-ca-root.crt > cfx-ssl-haproxy.pem

OR

cat server-ssl-private.key server-ssl-certificate.crt trusted-ca-intermediate-and-root-chain.crt > cfx-ssl-haproxy.pem

The final consolidated SSL certificate chain output is saved to 'cfx-ssl-haproxy.pem' file which will be applied to HA Proxy configuration later in this document. The filename used here for reference only.

CA-signed SSL certificate verification:

Note: openssl tool is a pre-requisite for performing SSL certificate validation checks

Step 1: Run the below commands to verify both server's SSL certificate and private key. The output of these two commands should match exactly the same.

openssl x509 -noout -modulus -in server-ssl-certificate.crt | openssl md5
openssl rsa -noout -modulus -in server-ssl-private.key | openssl md5

Step 2: Run the below commands to verify server's SSL certificate, intermediate & root certificate's (chain) date is valid and not expired.

openssl x509 -noout -in server-ssl-certificate.crt -dates
openssl x509 -noout -in trusted-ca-root.crt -dates
openssl x509 -noout -in trusted-ca-intermediate-root.crt -dates

Step 3: Run the below commands to verify the public keys contained in the private key file and the server certificate file are the same. The output of these two commands should match.

openssl x509 -in server-ssl-certificate.crt -noout -pubkey
openssl rsa -in server-ssl-private.key -pubout

Step 4: Run the below command to verify the validity of the certificate chain. The response should come out as 'OK'.

openssl verify -CAfile trusted-ca-root.crt server-ssl-certificate.crt

OR

openssl verify -CAfile trusted-ca-intermediate-and-root-chain.crt server-ssl-certificate.crt

Step 5: Run the below command to see and verify SSL certificate chain order is correct.

openssl crl2pkcs7 -nocrl -certfile cfx-ssl-haproxy.pem | openssl pkcs7 -print_certs -noout

Please refer to the below screenshot on how to validate the SSL certificate chain order.

Verify if the SSL certificate and key is in PEM format

openssl rsa -inform PEM -in server-ssl-private.key
openssl x509 -inform PEM -in server-ssl-certificate.crt

CA-signed SSL Certificate Installation for HA Proxy service:

Step 1: Go to HA Proxy service's certificates path on the cfxDimensions platform machine.

cd /opt/macaw/macaw-platform-<id>/certificates/<cfx-platform-ip>/haproxy

Step 2: Take a backup of the existing HA Proxy service's SSL certificate

cp haproxy.pem haproxy.pem.backup

Step 3: Copy the CA-signed SSL certificate chain file that is in PEM format to this location as 'haproxy.pem'

cp <ssl-cert-path>/cfx-ssl-haproxy.pem haproxy.pem

Step 4: Restart HA Proxy container

docker ps -a | grep haproxy
docker restart <haproxy-container-id>

Step 5: Verify HA Proxy service logs to make sure there are no errors after installing CA signed SSL server certificate chain file.

docker logs -f <haproxy-container-id> --tail 200

Step 6: Run the below 'openssl' command to verify the newly installed SSL certificate and check SSL verification is shown as 'OK' without any validation failures.

openssl s_client -connect <cfx-platform-FQDN>:443

Step 7: Open an internet browser (Firefox / Chrome / Safari) and enter the cfxDimensions Platform's FQDN to access the UI securely over HTTPs (port: 443) protocol.

https://<cfx-platform-fqdn>

Appendix:

SSL Certificate Formats and Conversion:

SSL certificate files come in different formats and most common ones that CA's (Certificate Authorities) deliver include .pfx, .p7b, .pem, .crt, .cer, and .cert. You can get more details about these different certificate formats in the following link:

SSL Certificate file format's explanation If you need to convert the format of your SSL certificate files to PEM, please use the following commands:

  • Convert PFX to PEM

openssl pkcs12 -in server-ssl-certificate.pfx -out server-ssl-certificate.pem -nodes
  • Convert P7B to PEM

openssl pkcs7 -print_certs -in server-ssl-certificate.p7b -out server-ssl-certificate.pem
  • Convert DER to PEM

openssl x509 -inform der -in server-ssl-certificate.cer -out server-ssl-certificate.pem

You can use the following commands to check if your certificate files are already in the required format:

  • Check and verify if your key is in PEM format

openssl rsa -inform PEM -in server-ssl-private.key
  • Check and verify if your certificate is in PEM format

openssl x509 -inform PEM -in server-ssl-certificate.pem

Self Signed SSL Certificate with Custom CA Root:

The truststore or root store is a file that contains the root certificates for Certificate Authorities (CA) that issue SSL certificates such as GoDaddy, Verisign, Network Solutions, Comodo and others. Internet browsers, operating systems and applications include list of authorized SSL certificate authorities within their root store or truststore repository file.

However, many enterprises may use Custom CA root certificates to validate and certify self-signed SSL certificates for internal use. In such scenario, when an application is being accessed through a browser or an SSL client, SSL certificate verification error may be observed. Because, neither the browser nor the SSL client will have the Custom CA root certificate within their root store / truststore repository file and hence, they will fail to recognize the authenticity of the SSL certificate and the issuer (CA) from the application.

In order to resolve this issue, update the client's root store / truststore with the Custom CA root & intermediate root certificates so that they can recognize them as a valid & trusted Certificate Authority (CA). Please refer the client's (internet browser or application) documentation on how to update their root store / truststore with custom CA root certificates.

Note: Please take guidance from your internal security team while using self-signed SSL certificates with Custom CA root certificates.