Versions Compared

Old Version 8

changes.mady.by.user Glen Steedman

Saved on

compared with

New Version 9

changes.mady.by.user Glen Steedman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Switch user to root

    • Code Block
      su root

  2. Run the following command to create the CSR request config file

    • Code Block
      nano /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf

    • copy the following content and replace <FQDN>with servername.example.com with the Fully Qualified Domain Name of the server and <EmailAddress> sample@sample.com with an email address.

    • Code Block
      [req]
distinguished_name  = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
emailAddress      = <EmailAddress>sample@sample.com
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = <FQDN>servername.example.com

  3. Run the following command to generate the CSR

    • Command Syntax

      • Code Block
        openssl req -config /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf -new -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/OU=${FUNCTION}/CN=${FQDN}" \
 -out /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr -key /var/opt/yarnlab/yarnman/config/ssl-key.pem -passin pass:somepassword -sha512 -newkey rsa:4096

    • All of the following need to be replaced

      • ${COUNTRY}

      • ${STATE}

      • ${LOCATION}

      • ${ORGANIZATION}

      • ${FUNCTION}

      • ${FQDN}

    • Example

      • Code Block
        openssl req -config /var/opt/yarnlab/yarnman/config/yarnman-ssl.cnf -new -subj "/C=AU/ST=NSW/L=SYDNEY/O=yarnlab/OU=lab/CN=yarnman.test.yarnlab.io" \
 -out /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr -key /var/opt/yarnlab/yarnman/config/ssl-key.pem -passin pass:yarnman -sha512 -newkey rsa:4096

  4. Collect CSR for signing

    1. Option 1- SFTP download from /var/opt/yarnlab/upgrade/

      1. cp /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr /var/opt/yarnlab/yarnman/upgrade/yarnman-ssl.csr

    2. Option 2 - copy content from your ssh terminal to obtain the base64 text

      1. cat /var/opt/yarnlab/yarnman/config/yarnman-ssl.csr

  5. Once signed certificate has been received from CA

    1. Note if the certificate has intermediate CA, Extra steps will be required detailed in the step Configuring Intermediate CA Certificates

  6. rename/move existing SSL public certificate

    • Code Block
      mv /var/opt/yarnlab/yarnman/config/ssl-cert.cert /var/opt/yarnlab/yarnman/config/ssl-cert.cert.bk

  7. Update public certificate

    • Option 1
      upload to /tmp from your sftp program, set/validate correct permission and restart yarnman

      • Code Block
        mv /tmp/certname.something /var/opt/yarnlab/yarnman/config/ssl-cert.cert
chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ca/ssl-cert.cert
chmod 644 /var/opt/yarnlab/yarnman/config/ssl-cert.cert
systemctl restart yarnman

    • Option 2
      use nano to paste the contents of the base64 certificate

      • Code Block
        nano /var/opt/yarnlab/yarnman/config/ssl-cert.cert
chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ssl-cert.cert
chmod 644 /var/opt/yarnlab/yarnman/config/ssl-cert.cert
systemctl restart yarnman

...

code
Code Block
mkdir /var/opt/yarnlab/yarnman/config/ca

    1-name.crt
    2-name.crt
    3-name.crt

add 
...
 files 
...
 in 
...
 order 
...
 of 
...
 the 
...
 cert 
...
 chain 
...
 so 
...
 the 
...
 files 
...
 in 
...
 the 
...
 directory 
...
 look 
...
 like
...
 Code Block
ls -lh /var/opt/yarnlab/yarnman/config/ca
1-name.crt
2-name.crt
3-name.crt
...
If required to change the owner and group
 Code Block
chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ca
chown ym-yarnman-app:ym-yarnman-app-gp /var/opt/yarnlab/yarnman/config/ca/*.crt 
...