# SSL Certificates Installation CloudFabrix's dimensions platform is enabled with HTTPs (SSL/443) access by default for secure communication and it is installed with self-signed certificates during the deployment. However, for production deployments, it is highly recommended to install CA Signed certificates and the below steps help you to install them appropriately. cfxDimensions platform uses HA Proxy service for managing UI access, incoming traffic (ex: Alert notifications) securely over HTTPs (SSL/443) protocol, and internal application traffic where applicable. Below steps to provide how to install CA Signed SSL certificates for HA Proxy service. ### SSL Certificate Requirements: CloudFabrix's dimensions platform's HA Proxy service requires below CA signed SSL certificate files in PEM format. * server-ssl-certificate.crt (format: PEM) * server-ssl-private.key * trusted-ca-intermediate-root.crt (format: PEM) * trusted-ca-root.crt (format: PEM) **OR** * server-ssl-certificate.crt (format: PEM) * server-ssl-private.key * trusted-ca-intermediate-root.crt & trusted-ca-root.crt chain in a single file (format: PEM) The SSL server certificate that is obtained should match the DNS / FQDN of the cfxDimensions platform VM's IP address (This is also referred to as Common Name or CN within the certificate). Wildcard domain SSL certificate is also supported. The below screen provides an example of how to check the server's ssl certificate's CN name using **openssl** command. (In this example, the cfxDimension platform's FQDN is cfx-dimensions.cloudfabrix.io and using a wildcard domain name (CN) SSL certificate) ``` openssl crl2pkcs7 -nocrl -certfile server-ssl-certificate.crt | openssl pkcs7 -print_certs -noout ``` ![](https://4260296531-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MAygHzNCQ33zRR43qxF%2F-MUzAYnyHLrcMOxEwVZq%2F-MUzGjx2-mXEsuj5BXDx%2FScreen%20Shot%202021-03-04%20at%202.06.05%20PM.png?alt=media\&token=10ae2cab-62e9-4e00-9219-1b360f8dbcae) Once you have the SSL certificate files as mentioned above, you need to create an SSL certificate chain by grouping them together as a single file in PEM format. Th below diagram shows a valid CA signed SSL certificate chain flow for reference. ![](https://4260296531-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MAygHzNCQ33zRR43qxF%2F-MUzdy4n8DVcGscoq4Y9%2F-MUzgFuYilHjuTLFs-Oo%2FScreen%20Shot%202021-03-04%20at%204.01.49%20PM.png?alt=media\&token=b86f6314-b552-48aa-80a5-9095ff7c28ec) Run the below command to create a valid SSL certificate chain. (supported format is PEM) ``` cat server-ssl-private.key server-ssl-certificate.crt trusted-ca-intermediate-root.crt trusted-ca-root.crt > cfx-ssl-haproxy.pem ``` **OR** ``` cat server-ssl-private.key server-ssl-certificate.crt trusted-ca-intermediate-and-root-chain.crt > cfx-ssl-haproxy.pem ``` ![](https://4260296531-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MAygHzNCQ33zRR43qxF%2F-MUzh-8Y9R8UZTJGco3v%2F-MUzmHTkJEWcZ50AjYsC%2FScreen%20Shot%202021-03-04%20at%204.27.52%20PM.png?alt=media\&token=5ec6a565-facf-4bd5-a1f7-8437c40a615e) {% hint style="info" %} The final consolidated SSL certificate chain output is saved to '**cfx-ssl-haproxy.pem**' file which will be applied to HA Proxy configuration later in this document. The filename used here for reference only. {% endhint %} ### ### CA-signed SSL certificate verification: {% hint style="info" %} Note: **openssl** tool is a pre-requisite for performing SSL certificate validation checks {% endhint %} **Step 1:** Run the below commands to verify both server's SSL certificate and private key. The output of these two commands should match exactly the same. ``` openssl x509 -noout -modulus -in server-ssl-certificate.crt | openssl md5 ``` ``` openssl rsa -noout -modulus -in server-ssl-private.key | openssl md5 ``` **Step 2:** Run the below commands to verify server's SSL certificate, intermediate & root certificate's (chain) date is valid and not expired. ``` openssl x509 -noout -in server-ssl-certificate.crt -dates ``` ``` openssl x509 -noout -in trusted-ca-root.crt -dates ``` ``` openssl x509 -noout -in trusted-ca-intermediate-root.crt -dates ``` **Step 3:** Run the below commands to verify the public keys contained in the private key file and the server certificate file are the same. The output of these two commands should match. ``` openssl x509 -in server-ssl-certificate.crt -noout -pubkey ``` ``` openssl rsa -in server-ssl-private.key -pubout ``` **Step 4:** Run the below command to verify the validity of the certificate chain. The response should come out as '**OK**'. ``` openssl verify -CAfile trusted-ca-root.crt server-ssl-certificate.crt ``` **OR** ``` openssl verify -CAfile trusted-ca-intermediate-and-root-chain.crt server-ssl-certificate.crt ``` **Step 5:** Run the below command to see and verify SSL certificate chain order is correct. ``` openssl crl2pkcs7 -nocrl -certfile cfx-ssl-haproxy.pem | openssl pkcs7 -print_certs -noout ``` Please refer to the below screenshot on how to validate the SSL certificate chain order. ![](https://4260296531-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MAygHzNCQ33zRR43qxF%2F-MUzOKaeK-VD6FFdblvj%2F-MUzReXDqQA2dS2rTDeN%2FScreen%20Shot%202021-03-04%20at%202.53.46%20PM.png?alt=media\&token=0f655b15-aa5d-4f63-b6b9-8564991cac19) Verify if the SSL certificate and key is in PEM format ``` openssl rsa -inform PEM -in server-ssl-private.key openssl x509 -inform PEM -in server-ssl-certificate.crt ``` ### ### CA-signed SSL Certificate Installation for HA Proxy service: **Step 1:** Go to HA Proxy service's certificates path on the cfxDimensions platform machine. ``` cd /opt/macaw/macaw-platform-/certificates//haproxy ``` **Step 2:** Take a backup of the existing HA Proxy service's SSL certificate ``` cp haproxy.pem haproxy.pem.backup ``` **Step 3:** Copy the CA-signed SSL certificate chain file that is in PEM format to this location as '**haproxy.pem**' ``` cp /cfx-ssl-haproxy.pem haproxy.pem ``` **Step 4:** Restart HA Proxy container ``` docker ps -a | grep haproxy ``` ``` docker restart ``` **Step 5:** Verify HA Proxy service logs to make sure there are no errors after installing CA signed SSL server certificate chain file. ``` docker logs -f --tail 200 ``` **Step 6:** Run the below '**openssl**' command to verify the newly installed SSL certificate and check SSL verification is shown as '**OK**' without any validation failures. ``` openssl s_client -connect :443 ``` **Step 7:** Open an internet browser (Firefox / Chrome / Safari) and enter the cfxDimensions Platform's FQDN to access the UI securely over HTTPs (port: 443) protocol. **https\://\** ## **Appendix:** ### **SSL Certificate Formats and Conversion:** SSL certificate files come in different formats and most common ones that CA's (Certificate Authorities) deliver include .pfx, .p7b, .pem, .crt, .cer, and .cert. You can get more details about these different certificate formats in the following link: [SSL Certificate file format's explanation](https://comodosslstore.com/resources/a-ssl-certificate-file-extension-explanation-pem-pkcs7-der-and-pkcs12/)\ \ If you need to convert the format of your SSL certificate files to PEM, please use the following commands: * **Convert PFX to PEM** ``` openssl pkcs12 -in server-ssl-certificate.pfx -out server-ssl-certificate.pem -nodes ``` * **Convert P7B to PEM** ``` openssl pkcs7 -print_certs -in server-ssl-certificate.p7b -out server-ssl-certificate.pem ``` * **Convert DER to PEM** ``` openssl x509 -inform der -in server-ssl-certificate.cer -out server-ssl-certificate.pem ``` You can use the following commands to check if your certificate files are already in the required format: * **Check and verify if your key is in PEM format** ``` openssl rsa -inform PEM -in server-ssl-private.key ``` * **Check and verify if your certificate is in PEM format** ``` openssl x509 -inform PEM -in server-ssl-certificate.pem ``` ### ### Self Signed SSL Certificate with Custom CA Root: The **truststore or root store** is a file that contains the root certificates for Certificate Authorities (CA) that issue SSL certificates such as GoDaddy, Verisign, Network Solutions, Comodo and others. Internet browsers, operating systems and applications include list of authorized SSL certificate authorities within their root store or truststore repository file. However, many enterprises may use Custom CA root certificates to validate and certify self-signed SSL certificates for internal use. In such scenario, when an application is being accessed through a browser or an SSL client, SSL certificate verification error may be observed. Because, neither the browser nor the SSL client will have the Custom CA root certificate within their root store / truststore repository file and hence, they will fail to recognize the authenticity of the SSL certificate and the issuer (CA) from the application. In order to resolve this issue, update the client's root store / truststore with the Custom CA root & intermediate root certificates so that they can recognize them as a valid & trusted Certificate Authority (CA). Please refer the client's (internet browser or application) documentation on how to update their root store / truststore with custom CA root certificates. {% hint style="danger" %} Note: Please take guidance from your internal security team while using self-signed SSL certificates with Custom CA root certificates. {% endhint %}