Summary:

By default, the CloudCenter Manager (CCM) appliance has a self-generated client certificate that resolves to example.com. The component of this certificate can be viewed while you are in the browsing session, often directly from the address bar. Since this certificate is self-generated and signed by an unknown provider, it may not be adequate if the CCM is being integrated into an enterprise ecosystem. The goal of this document is to explain the process to replace the default certificate with one that is signed either by a proper Private Key Infrastructure (PKI) or by a trusted public provider. To facilitate the comprehension of the end-to-end process, this document will contain the tasks to create the root certificate from the Certificate Authority (CA) as well as the signed client certificate. Within the appliance, the client SSL certificate is stored in the /usr/local/tomcat/conf/ssl directory and the file that references their usage is /usr/local/tomcat/conf/server.xml. 

Create the certificates:

• Generate the private key for the root CA
  • openssl genrsa -des3 -out root-ca.key 2048
    • Determine your own passphrase

• Generate the self-signed certificate for the root CA
  • openssl req -new -x509 -days 3650 -key root-ca.key -out root-ca.crt
    • Enter the passphrase you used for the private key
      • Sample input

Country Name (2 letter code) [XX]:US

State or Province Name (full name) []:California

Locality Name (eg, city) [Default City]:San Francisco

Organization Name (eg, company) [Default Company Ltd]:My Organization

Organizational Unit Name (eg, section) []:My OrgUnit

Common Name (eg, your name or your server's hostname) []:sandbox.myorgunit.local

Email Address []:admin@myorgunit.local

Create the certificate for the server

• Generate the private key for the server certificate
  • openssl genrsa -des3 -out sandbox.key 2048
    • Optional - To remove the passphrase, type these commands:
      • cp sandbox.key sandbox.key.org
      • openssl rsa -in sandbox.key.org -out sandbox.key

• Generate the CSR (Certificate Signing Request)
  • openssl req –new –key sandbox.key –out sandbox.csr
    • Sample input

Country Name (2 letter code) [XX]:US

State or Province Name (full name) []:California

Locality Name (eg, city) [Default City]:San Francisco

Organization Name (eg, company) [Default Company Ltd]:My Organization

Organizational Unit Name (eg, section) []:My OrgUnit

Common Name (eg, your name or your server's hostname) []:sandbox.myorgunit.local

Email Address []:admin@myorgunit.local

• Generate a new Self-Signed Certificate by using the root CA key
  • openssl x509 –req –in sandbox.csr –CA root-ca.crt –CAkey root-ca.key –CAcreateserial -out sandbox.crt –days 3650

Place the newly created certificate in the proper directory on the CCM

Stop the Tomcat service

• /etc/init.d/tomcat stop

Assuming your working directory is /tmp/certificates on the CCM

• cp root-ca.crt sandbox.crt sandbox.key /usr/local/tomcat/conf/ssl

Change to the directory where the files are now stored and change the permissions of the new files

• cd /usr/local/tomcat/conf/ssl
• chown cliqruser:cliqruser root-ca.crt sandbox.crt sandbox.key

• vi /usr/local/tomcat/conf/server.xml

Find the section starting with <Connector port="10443" maxHttpHeaderSize=“8192” and modify the certificate name

• Sample modification

<Connector port="10443" maxHttpHeaderSize="8192"

maxThreads="150"

enableLookups="false" disableUploadTimeout="true"

acceptCount="100" scheme="https" secure="true"

SSLEnabled="true"

SSLCertificateFile="${catalina.base}/conf/ssl/sandbox.crt"

SSLCertificateKeyFile="${catalina.base}/conf/ssl/sandbox.key"

compressableMimeType="text/html,text/xml,text/plain,application/javascript,application/json,text/javascript,text/css,application/css,image/x-icon,image/jpeg,image/png,image/svg+xml,application/x-shockwave-flash,application/x-java-jnlp-file,application/zip,application/x-font-ttf,application/x-font-opentype,application/x-font-woff,application/vnd.ms-fontobject" />

Start the Tomcat service

• /etc/init.d/tomcat start