New SSL certificates need to be requested and configured in SenSage AP components because the old ones have expired, or to address the following alerts showing up in vulnerability scans:
- SSL Certificate with Wrong Hostname
- SSL Certificate Expiry
- SSL Self-Signed Certificate
- SSL Certificate Chain Contains RSA Keys Less Than 2048 bits
The vulnerabilities above can be fixed by updating your SSL certificates. Replace the outdated and expired certificates by requesting new ones that are correctly configured for all valid hostnames from a known CA authority.
Request a new certificate
Request a new SSL certificate for the server hostname from a CA (Certificate Authority) - either your own internal CA or a public CA like GoDaddy, DigiCert, etc - in personal exchange (.PFX) format.
You can buy one SSL certificate for multiple URLs or hostnames too. If you want the SSL cert to be valid for multiple hostnames, you just need to add the hostnames to the Subject Alternative Name when requesting a new cert.
Copy the certificate file to the server and move it into a working directory (for example /root/cert).
Extract private key and public certificate
For SSL certificates issued in a .PFX file, extract the private key and public certificate.
- Enter the following command to extract the private key from the p12 file:
openssl pkcs12 -in .pfx -nocerts -out ssl.key
Note: Use the same password to encrypt the privatekey.
- Enter the following command to extract the public certificate and the certificate chain from the p12 file:
openssl pkcs12 -in .pfx -clcerts -nokeys -out ssl.crt
openssl pkcs12 -in .pfx -cacerts -nokeys -out sslca.crt
- Combine the cacerts and the clcerts
cat ssl.crt > new.crt
cat sslca.crt >> new.crt
Configure new certificates in components
Once you have acquired and extracted the needed files, you can configure/replace the same certificates in all the different components i.e. Analyzer, Ambari, Postgres, and Apache following these articles:
- Replacing SSL Certificate in Analyzer
- Replacing SSL Certificate in Ambari
- Replacing SSL Certificate in Postgres
- Replacing SSL Certificate in Apache/httpd
Note: You only have to request the new certificates once, and the same ones can be used in all components.