Creating a real SSL server certificate using an external certificate officially signed by an external third party for the Apache Server (.PEM)

Version 2
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    ProactiveNet Performance Management Suite


    COMPONENT:

    BPPM Application Server


    APPLIES TO:

    BMC ProactiveNet Performance Management Suite 9.x



    PROBLEM:

     

    Creating a real SSL server certificate using an external certificate officially signed by an external third party for the Apache Server (.PEM)



     

     


    SOLUTION:

     

    Legacy ID:KA375990

      

    Perform the following procedure to create a real/valid SSL server certificate using an external certificate officially signed by an external third party for the Apache Server (.PEM)

    1) Create the RSA private key for your Apache server.
    - This will be Triple-DES encrypted and PEM formatted:
    $ /usr/pw/apache/bin/openssl genrsa -des3 -out server.key 1024

    The private key sizes for SSL must either be 512 or 1024, for compatibility with certain Web browsers. A keysize of 1024 bits is recommended because keys larger than 1024 bits are incompatible with some versions of Netscape Navigator and Microsoft Internet Explorer, and with other browsers that use RSA's BSAFE cryptography toolkit.
    Back up server.key file and remember the pass-phrase you had to enter at a secure location.

    2 Create a Certificate Signing Request (CSR) with the server RSA private key.
    -This output will be PEM formatted.
    $ /usr/pw/apache/bin/openssl req -new -key server.key -out server.csr

    You will need to enter specific information about the certificate, including Country, State, City, Organization, and Common Name. The most important field is Common Name. The Common Name must match the DNS name for your web server that customers will use to access it.

    Ensure that you enter the FQDN (Fully Qualified Domain Name) of the server when OpenSSL prompts you for the 'CommonName', i.e. when you generate a CSR for a Web site, which will be later accessed via https://www.foo.dom/ ,enter 'www.foo.dom' here.

    3) Now send server.csr (Certificate Signing Request (CSR)) to a Certifying Authority (CA) for signing.

    4) The CA will send you back the server.crt file.

    5) Place the new files in the appropriate directory:
    Unix:
    server.key in /usr/pw/apache/conf/ssl.key/
    server.crt in /usr/pw/apache/conf/ssl.crt/

    Windows:
    Place both files in:
    ~\pw\ApacheGroup\Apache\conf\

    6) Open the file httpd-ssl.conf file:
    Unix:
    ~/pw/apache/conf/httpd-ssl.conf
    Windows:
    ~\pw\ApacheGroup\Apache\conf\httpd-ssl.conf

    Change the entries below to point to the location of your server.crt and server.key files.
    SSLCertificateFile
    SSLCertificateKeyFile

    Example:
    Unix:
    SSLCertificateFile /usr/pw/apache/conf/server.crt
    SSLCertificateKeyFile /usr/pw/apache/conf/server.key

    Windows:
    SSLCertificateFile
    "D:\BMCSoftware\ProactiveNet\pw\ApacheGroup\Apache\conf\my-server.crt
    SSLCertificateKeyFile
    "D:\BMCSoftware\ProactiveNet\pw\ApacheGroup\Apache\conf\my-server.key

    Save the file.

    7) Prevent Apache from prompting you for a pass-phrase by doing the following:

    a)Remove the encryption from the RSA private key while preserving the original file:
    $ cp server.key server.key.org
    $ /usr/pw/apache/bin/openssl rsa -in server.key.org -out server.key

    b)Ensure that server.key is now readable only by root:
    $ chmod 400 server.key on UNIX and set the server.key file to read-permission on Windows

    - Now server.key will contain an unencrypted copy of the key. When Apache server starts, it will not prompt you for a pass-phrase.

    8) Restart the httpd process on the BPPM Server using the following
    command:
    pw process restart httpd

    Confirm that the httpd process is back up and running again by using the following command:

    pw process list

    9) Connect to the ProactiveNet Operations Console via https now.

     


    Article Number:

    000093827


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles