| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2024-07-17 |
cis |
{{site.data.keyword.attribute-definition-list}}
{: #cis-origin-certificates}
Origin certificates are free TLS certificates that are issued by {{site.data.keyword.cis_full}} that encrypt traffic between your origin server and your users. Order free TLS certificates to install on your origin server. {: shortdesc}
{{site.data.keyword.cis_short_notm}} origin certificates are only valid for use in CIS. {: note}
{: #cis-origin-certificates-ordering}
To order an origin certificate, provide a Certificate Signing Request (CSR) or select a private key type for {{site.data.keyword.cis_short_notm}} to generate a key and CSR.
Specify up to 100 hostnames (including wildcards) on your origin that the certificate protects. Wildcards only provide one level of coverage. Use multiple wildcards on the same certificate for broader coverage (for example, *.yourdomain.com and *.yoursubdomain.yourdomain.com). {{site.data.keyword.cis_short_notm}} Origin Certificates do not permit IP addresses.
Specify the expiration. The default certificate expiration is 15 years; the shortest expiration is seven days.
The private key is only available immediately after you order a certificate if the private key and CSR were generated by {{site.data.keyword.cis_short_notm}}. {: important}
{: #cis-origin-certificates-installing}
{: #cis-origin-cert-install-apache-httpd}
-
Order an origin certificate.
-
Copy the private key and origin certificate in PEM format into separate files to the directory on your server where you keep your key and certificate files.
-
Locate your Apache configuration file. Typically, the filenames are
httpd.conforapache2.confand the locations are/etc/httpd/or/etc/apache2/. However, your configuration file might vary, especially if you use a special interface to manage your server. Refer to Apache's DistrosDefaultLayout{: external} for a complete list of default installation layouts. The following command is one way to search for the SSL configuration file on linux.grep -i -r "SSLCertificateFile" /etc/httpd/{: pre}
-
Locate the
<VirtualHost>block to configure. Optionally, copy the existing non-secure virtual host for your site to be available through HTTP and HTTPS because each type of connection requires a virtual host. -
Configure the
<VirtualHost>block for SSL. The following example represents a simple configuration for SSL. Use the filenames for your certificate and private key.SSLCertificateFileis your origin CA certificate filename andSSLCertificateKeyFileis your origin CA private key filename.<VirtualHost 192.168.0.1:443> DocumentRoot /var/www/html2 ServerName www.mydomain.com SSLEngine on SSLCertificateFile /path/to/your_domain_name.crt SSLCertificateKeyFile /path/to/your_private.key </VirtualHost>
{: codeblock}
-
Test your configuration. Before you restart Apache, verify that your configuration files have no errors. Run the following command to test your configuration.
apachectl configtest
{: pre}
-
Restart Apache. Run the following commands to restart Apache with SSL support.
apachectl stop apachectl start
{: pre}
If SSL support does not load with apache start, run the command apachectl startssl. If Apache starts with only SSL support using apachectl startssl, it is recommended to adjust the Apache startup configuration to include SSL support in the command apachectl start. Otherwise, if a server reboots you might be required to manually restart Apache with apachectl startssl. This reboot typically involves removing the <IfDefine SSL> and </IfDefine SSL> tags that enclose your configuration.
{: note}
{: #cis-origin-cert-install-nginx}
-
Order an origin certificate.
-
Copy the private key and origin certificate in PEM format into separate files to the directory on your server where you keep key and certificate files.
-
Update your NGINX virtual hosts file. Edit the NGINX virtual host file for your website. The following example represents a server block for SSL support. Enable the
sslparameter on listening sockets in the server block for your site to be available through HTTP and HTTPS.server { listen 80; listen 443; ssl on; ssl_certificate /path/to/your_certificate.pem; ssl_certificate_key /path/to/your_private.key; location / { root /home/www/public_html/yourdomain.com/public/; index index.html; } }{: codeblock}
-
Restart NGINX. Run one of the following commands to restart NGINX.
sudo /etc/init.d/nginx restart sudo systemctl restart nginx
{: pre}
{: #cis-origin-cert-install-apache-tomcat}
-
Order an origin certificate.
-
Copy the private key and origin certificate in PKCS #7 format (cert.p7b) into separate files to the directory on your server where you keep key and certificate files.
You must install the SSL Certificate file to the same keystore and under the same alias name (or "server") that you used to generate your CSR. The installation in the next step does not work if the SSL Certificate file is installed to a different keystore. {: note}
-
Install the certificate. Run the following command to install the SSL Certificate file to your keystore.
keytool -import -trustcacerts -alias server -file cert.p7b -keystore your_site_name.jks
{: pre}
A confirmation message appears: "Certificate reply was installed in keystore." Enter y or yes if asked to trust the certificate. Your keystore file (your_site_name.jks) is now ready to use on your Tomcat Server.
-
Configure your SSL connector. Configure an SSL connector for Tomcat to be able to accept secure connections.
- Open the Tomcat server.xml file in a text editor. The server.xml file is typically located in the conf folder of your Tomcat's home directory.
- Identify the connector to use to secure the new keystore. A connector with port 443 or 8443 is typically used.
- Remove any comment tags that might be surrounding the connector.
- Update the correct keystore filename and password in your connector configuration.
The following example represents a configured SSL Connector block.
<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keyAlias="server" keystoreFile="/home/user_name/your_site_name.jks" keystorePass="your_keystore_password" />
{: codeblock}
If your Tomcat version is earlier than Tomcat 7, change
keystorePasstokeypass. {: note} -
Save your server.xml file.
-
Restart Tomcat.
{: #cis-origin-cert-install-ms-iis7}
-
Create a CSR in IIS Manager and export it as
.pem. The IIS Manager is located under Administrative Tools. -
Order a {{site.data.keyword.cis_short_notm}} origin certificate using your CSR.
-
Copy the origin certificate to the desktop of your server.
-
Open IIS Manager and select your server's hostname under Connections.
-
Select Server Certificates from the IIS section in the center menu.
-
Select the action Complete Certificate Request from the Actions menu. On the Specify Certificate Authority Response page under File name containing the certification authority's response, click
...to browse to the.cercertificate file that was copied to the desktop, select the file, and click Open. -
Enter a friendly name for the certificate. The friendly name identifies the certificate.
-
Select OK to finish the certificate installation to your server.
-
Bind the certificate to your website. Select your website by expanding Sites under your server's name in the menu under Connections in the IIS Manager. Select Bindings under Edit Site from the Actions menu. Select Add from the Site Bindings window and submit the following information.
Type https IP Address All Unassigned Port 443 SSL Certificate your_cert_friendly_name
{: codeblock}
-
Your website is now configured to accept secure connections.
{: #cis-origin-cert-install-ms-iis8-8.5}
-
Create a CSR in IIS Manager and export it as
.pem. The IIS Manager is located under Administrative Tools. -
Order a {{site.data.keyword.cis_short_notm}} origin certificate using your CSR.
-
Copy the origin certificate to the desktop of your server.
-
Open IIS Manager and select your server's hostname under Connections.
-
Select Server Certificates from the IIS section in the center menu.
-
Select the action Complete Certificate Request from the Actions menu. On the Specify Certificate Authority Response page under File name containing the certification authority's response, click
...to browse to the.cercertificate file that was copied to the desktop, select the file, and click Open. -
Enter a friendly name for the certificate. The friendly name identifies the certificate.
-
Select OK to finish the certificate installation to your server.
-
Bind the certificate to your website. Select your website by expanding Sites under your server's name in the menu under Connections in the IIS Manager. Select Bindings under Edit Site from the Actions menu. Select Add from the Site Bindings window and submit the following information.
Type https IP Address All Unassigned Port 443 SSL Certificate your_cert_friendly_name
{: codeblock}
-
Optionally, configure your SSL certificate to use Server Name Indication (SNI) if you have multiple sites that use SSL bound to the same IP address. Select the Require Server Name Indication box.
-
Your website is now configured to accept secure connections.
{: #certificate-chains}
In some cases, origin web servers require the upload of the certificate chain. Use these links to download either an ECC{: external} or an RSA{: external} version, and then upload the certificate chain to your origin web server.
{: #cis-origin-certificates-revoke}
Delete your {{site.data.keyword.cis_short_notm}} origin certificate. This process cannot be undone.