SSL Certificates Installation
SSL Certificates for secure communication
CloudFabrix's dimensions platform is enabled with HTTPs (SSL/443) access by default for secure communication and it is installed with self-signed certificates during the deployment. However, for production deployments, it is highly recommended to install CA Signed certificates and the below steps help you to install them appropriately.
cfxDimensions platform uses HA Proxy service for managing UI access, incoming traffic (ex: Alert notifications) securely over HTTPs (SSL/443) protocol, and internal application traffic where applicable.
Below steps to provide how to install CA Signed SSL certificates for HA Proxy service.
SSL Certificate Requirements:
CloudFabrix's dimensions platform's HA Proxy service requires below CA signed SSL certificate files in PEM format.
server-ssl-certificate.crt (format: PEM)
server-ssl-private.key
trusted-ca-intermediate-root.crt (format: PEM)
trusted-ca-root.crt (format: PEM)
OR
server-ssl-certificate.crt (format: PEM)
server-ssl-private.key
trusted-ca-intermediate-root.crt & trusted-ca-root.crt chain in a single file (format: PEM)
The SSL server certificate that is obtained should match the DNS / FQDN of the cfxDimensions platform VM's IP address (This is also referred to as Common Name or CN within the certificate). Wildcard domain SSL certificate is also supported. The below screen provides an example of how to check the server's ssl certificate's CN name using openssl command. (In this example, the cfxDimension platform's FQDN is cfx-dimensions.cloudfabrix.io and using a wildcard domain name (CN) SSL certificate)
Once you have the SSL certificate files as mentioned above, you need to create an SSL certificate chain by grouping them together as a single file in PEM format.
Th below diagram shows a valid CA signed SSL certificate chain flow for reference.
Run the below command to create a valid SSL certificate chain. (supported format is PEM)
OR
The final consolidated SSL certificate chain output is saved to 'cfx-ssl-haproxy.pem' file which will be applied to HA Proxy configuration later in this document. The filename used here for reference only.
CA-signed SSL certificate verification:
Note: openssl tool is a pre-requisite for performing SSL certificate validation checks
Step 1: Run the below commands to verify both server's SSL certificate and private key. The output of these two commands should match exactly the same.
Step 2: Run the below commands to verify server's SSL certificate, intermediate & root certificate's (chain) date is valid and not expired.
Step 3: Run the below commands to verify the public keys contained in the private key file and the server certificate file are the same. The output of these two commands should match.
Step 4: Run the below command to verify the validity of the certificate chain. The response should come out as 'OK'.
OR
Step 5: Run the below command to see and verify SSL certificate chain order is correct.
Please refer to the below screenshot on how to validate the SSL certificate chain order.
Verify if the SSL certificate and key is in PEM format
CA-signed SSL Certificate Installation for HA Proxy service:
Step 1: Go to HA Proxy service's certificates path on the cfxDimensions platform machine.
Step 2: Take a backup of the existing HA Proxy service's SSL certificate
Step 3: Copy the CA-signed SSL certificate chain file that is in PEM format to this location as 'haproxy.pem'
Step 4: Restart HA Proxy container
Step 5: Verify HA Proxy service logs to make sure there are no errors after installing CA signed SSL server certificate chain file.
Step 6: Run the below 'openssl' command to verify the newly installed SSL certificate and check SSL verification is shown as 'OK' without any validation failures.
Step 7: Open an internet browser (Firefox / Chrome / Safari) and enter the cfxDimensions Platform's FQDN to access the UI securely over HTTPs (port: 443) protocol.
https://<cfx-platform-fqdn>
Appendix:
SSL Certificate Formats and Conversion:
SSL certificate files come in different formats and most common ones that CA's (Certificate Authorities) deliver include .pfx, .p7b, .pem, .crt, .cer, and .cert. You can get more details about these different certificate formats in the following link:
SSL Certificate file format's explanation If you need to convert the format of your SSL certificate files to PEM, please use the following commands:
Convert PFX to PEM
Convert P7B to PEM
Convert DER to PEM
You can use the following commands to check if your certificate files are already in the required format:
Check and verify if your key is in PEM format
Check and verify if your certificate is in PEM format
Self Signed SSL Certificate with Custom CA Root:
The truststore or root store is a file that contains the root certificates for Certificate Authorities (CA) that issue SSL certificates such as GoDaddy, Verisign, Network Solutions, Comodo and others. Internet browsers, operating systems and applications include list of authorized SSL certificate authorities within their root store or truststore repository file.
However, many enterprises may use Custom CA root certificates to validate and certify self-signed SSL certificates for internal use. In such scenario, when an application is being accessed through a browser or an SSL client, SSL certificate verification error may be observed. Because, neither the browser nor the SSL client will have the Custom CA root certificate within their root store / truststore repository file and hence, they will fail to recognize the authenticity of the SSL certificate and the issuer (CA) from the application.
In order to resolve this issue, update the client's root store / truststore with the Custom CA root & intermediate root certificates so that they can recognize them as a valid & trusted Certificate Authority (CA). Please refer the client's (internet browser or application) documentation on how to update their root store / truststore with custom CA root certificates.
Note: Please take guidance from your internal security team while using self-signed SSL certificates with Custom CA root certificates.
Last updated
