Kevin,
Here are my notes from another implementation, hope they help.
Generating / Submitting CSR
1. Create private key
SSH to web server / UI
Run: openssl genrsa -out <FQDN HOSTNAME>.key.pem 2048
Run: chmod 0600 <FQDN HOSTNAME>.key.pem
2. Create a <FQDN HOSTNAME>.conf file with contents as follows:
[ req ]
default_bits = 2048
default_keyfile = <FQDN HOSTNAME>.key.pem
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Minnesota
localityName = Locality Name (eg, city)
localityName_default = <LOCALITY>
organizationName = Organization Name (eg, company)
organizationName_default = <ORG NAME>
commonName = Common Name (e.g. hostname)
commonName_default = <FQDN HOSTNAME>
commonName_max = 64
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = <FQDN HOSTNAME>
DNS.2 = <SHORT HOSTNAME>
DNS.3 = netwitness.uhc.com
DNS.4 = netwitness
3. Create CSR
openssl req -new -out <FQDN HOSTNAME>.csr -key <FQDN HOSTNAME>.key.pem -config <FQDN HOSTNAME>.conf -sha256
4. Validate CSR
openssl req -text -noout -in <FQDN HOSTNAME>.csr
5. Submit CSR
Run: cat <FQDN HOSTNAME>.csr <- then copy the contents of the Base64 encoded file to your CSR submission entry box in Venafi or relevant Cert Issuer. Validate that the Cert Issuer has checked/approved the entries i.e. common name, organization etc...
Apply Certificate
1. Download the cert from the download section in Venafi or Cert Issuer. Ensure you download 2 version of it, one with the root chain and one without. The root chain entry will have a .pem extension and the one without the root chain will have a .cer extension i.e. this will be your web cert.
2. Rename your local copy of the .cer file to web-server-cert.pem
3. Compare the .cer and .pem local PC files and ensure from the .pem file, you remove the contents that are in the .cer file. Effectively, you want to have a file that ONLY has the root chain and not the contents of your cert. Name this file: web-server-cert.chain. Sample command below:
Run: openssl crl2pkcs7 -nocrl -certfile /root/web-server-cert.pem -out web-server-cert.p7b -certfile web-server-cert.chain
4. SCP web-server-cert.pem and web-server-cert.chain to /root on UI/Web Server
5. SSH to your UI
6. Make a backup of the existing (default) certs
Run: mkdir /etc/pki/nw/web/default && mv /etc/pki/nw/web/web-server* /etc/pki/nw/web/default/
Validate, run: ls -l /etc/pki/nw/web && ls -l /etc/pki/nw/web/default/
7. Copy key file to the proper name
Run: cp /root/<FQDN HOSTNAME>.key.pem /root/web-server-key.pem
8. Now convert the cert to p7b file
Run: openssl crl2pkcs7 -nocrl -certfile /root/web-server-cert.pem -out web-server-cert.p7b -certfile web-server-cert.chain
9. Run: ls -l /root/web-server-* and validate you have the following files:
web-server-cert.pem
web-server-cert.chain
web-server-cert.p7b
web-server-key.pem
10. Copy these 2 files to the NGINX location
Run: cp web-server-cert.pem web-server-cert.chain web-server-cert.p7b web-server-key.pem /etc/pki/nw/web/
11. Restart NGINX service:
service nginx restart
12. Validate by navigating to https://<FQDN HOSTNAME>, validate the cert. If correct, then backup the files with the next final step.
13. Backup the working files
Run: mkdir /etc/pki/nw/web/working && cp /etc/pki/nw/web/web-server-* /etc/pki/nw/web/working/
REFERENCE NOTES:
PEM Format
It is the most common format that Certificate Authorities issue certificates in. It contains the ‘—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements.
Several PEM certificates and even the Private key can be included in one file, one below the other. But most platforms(eg:- Apache) expects the certificates and Private key to be in separate files.
> They are Base64 encoded ACSII files
> They have extensions such as .pem, .crt, .cer, .key
> Apache and similar servers uses PEM format certificates
DER Format
It is a Binary form of ASCII PEM format certificate. All types of Certificates & Private Keys can be encoded in DER format
> They are Binary format files
> They have extensions .cer & .der
> DER is typically used in Java platform
P7B/PKCS#7
They contain “—–BEGIN PKCS—–” & “—–END PKCS7—–” statements. It can contain only Certificates & Chain certificates but not the Private key.
> They are Base64 encoded ASCII files
> They have extensions .p7b, .p7c
> Several platforms supports it. eg:- Windows OS, Java Tomcat
PFX/PKCS#12
They are used for storing the Server certificate, any Intermediate certificates & Private key in one encryptable file.
> They are Binary format files
> They have extensions .pfx, .p12
> Typically used on Windows OS to import and export certificates and Private keys
Converting Certificates between different Formats
Convert PEM to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
Convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CAcert.cer
Convert PEM to PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CAcert.crt
Convert DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
Convert P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
Convert P7B to PFX
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CAcert.cer
Convert PFX to PEM
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
NOTE: While converting PFX to PEM format, openssl will put all the Certificates and Private Key into a single file. You will need to open the file in Text editor and copy each Certificate & Private key(including the BEGIN/END statements) to its own individual text file and save them as certificate.cer, CAcert.cer, privateKey.key respectively.
