Requesting and Configuring New SSL Certificates


New SSL certificates need to be requested and configured in SenSage AP components because the old ones have expired, or to address the following alerts showing up in vulnerability scans:

    • SSL Certificate with Wrong Hostname
    • SSL Certificate Expiry
    • SSL Self-Signed Certificate
    • SSL Certificate Chain Contains RSA Keys Less Than 2048 bits


The vulnerabilities above can be fixed by updating your SSL certificates. Replace the outdated and expired certificates by requesting new ones that are correctly configured for all valid hostnames from a known CA authority.

Request a new certificate

Request a new SSL certificate for the server hostname from a CA (Certificate Authority) - either your own internal CA or a public CA like GoDaddy, DigiCert, etc - in personal exchange (.PFX) format.

You can buy one SSL certificate for multiple URLs or hostnames too. If you want the SSL cert to be valid for multiple hostnames, you just need to add the hostnames to the Subject Alternative Name when requesting a new cert.

Copy the certificate file to the server and move it into a working directory (for example /root/cert).


Extract private key and public certificate

For SSL certificates issued in a .PFX file, extract the private key and public certificate.

  • Enter the following command to extract the private key from the p12 file:
openssl pkcs12 -in .pfx -nocerts -out ssl.key 

Note: Use the same password to encrypt the privatekey.

  • Enter the following command to extract the public certificate and the certificate chain from the p12 file:
openssl pkcs12 -in .pfx -clcerts -nokeys -out ssl.crt 

openssl pkcs12 -in .pfx -cacerts -nokeys -out sslca.crt
  • Combine the cacerts and the clcerts
cat ssl.crt > new.crt

cat sslca.crt >> new.crt


Configure new certificates in components

Once you have acquired and extracted the needed files, you can configure/replace the same certificates in all the different components i.e. Analyzer, Ambari, Postgres, and Apache following these articles:

Note: You only have to request the new certificates once, and the same ones can be used in all components.



Please sign in to leave a comment.