WiDirect Command Line SSL Configuration

From WiDirect
Jump to: navigation, search

Generate Key and CSR

Login to the WiDirect over SSH using username portal.

First you will create the key file, and then the certificate signing request from that key file. The instructions below use wifi.mydomain.com. Change that entry to be your desired domain name.

First generate key file:

su -
cd /home/portal/
openssl genrsa -out wifi.mydomain.com.key 2048

Generate CSR:

openssl req -new -key wifi.mydomain.com.key -out wifi.mydomain.com.csr

Answer all the questions when prompted. It is important when asked for the "Common Name" that you enter the exact domain you will be using for your WiDirect. Depending on the level of certificate you are requesting some of the other information may need to match the domain's information as well.

A self-signed certificate may be generated if you would like to use the new key immediately before getting the certificate from a 3rd party. If you would like to wait to install the certificate until the process is complete this step may be skipped. To self-sign the key the following command may be used:

openssl req -new -x509 -nodes -sha1 -days 365 -key wifi.mydomain.com.key > wifi.mydomain.com.crt

To get a certificate from a 3rd party you will need to copy the CSR file from the WiDirect. You can view the CSR file with the following command:

cat wifi.mydomain.com.csr

The entire contents of that file should be sent to your SSL provider, including the lines with BEGIN and END. Example certificate request:

-----BEGIN CERTIFICATE REQUEST-----
MIICnzCCAYcCAQAwWjELMAkGA1UEBhMCVVMxEjAQBgNVBAcMCUFubmFwb2xpczEZ
MBcGA1UECgwQQWxsQ2l0eSBXaXJlbGVzczEcMBoGA1UEAwwTYWxsY2l0eXdpcmVs
ZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALvR0EerefLn
2ONMdYkBgHRKtN4o4Tnzh4nqIV0409NgsR0ECgHIZje1VLew26Y8sELMllFZvuYK
mChvz7+JM/P3G+5FDrIK112EAr/T4BVo/1fWBkammWwESJg9yfitO56xMCEvI08y
4f87iLk7K+Oznw00bBZRnRlqDBQIVA36ObqEtUfS4czJF4R2tj3UffvZW/M1jtwl
oAANkrZHjNxYiLVMiaixKjLmDKj2M6IfQ5ljLxFOlqAQlGnO1ibM4VSYRV/P+amw
hZKOtWidGGHuMTJtZPL8k/0BEeGacoxaG6V7oRqPs+g5V3DCtObgbBYtX2zfO69D
6W/4NLKwUvsCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQBto6SYnNcksqm2ecft
Mmyjo/DLgnncPakmLzdzUM7+P3YGdJTr938HROAs4B6PjJOSL2QSDH4CM3FIkwhh
IyBBjoWWgZO1rMXepDmD9S8j5AToE3I4GtFmRKXNtj/utX8D0LTHaVM0JfORhDzh
gghmWYmIlNhObziv/914VBcK3XA4aun+IPrnZw2zcvhhn24qSUYRnAqmhbBwGODg
i+q9QhQwqK9EwKgvF2qC86BNE54jtj4d8iGuUe92IFeW/c4vghJoLVlmlvxyxTCG
coPPcpyaC7oWV8hleD8fvC74r2ZIYban5g3k0xLn7eNNNQAcdLTH/FlLG0GRbqB9
QmoW
-----END CERTIFICATE REQUEST-----

The file can also be downloaded from the WiDirect using a secure FTP program, such as Filezilla. When using Filezilla be sure to add a new site in the Site Manager, and set the protocol to "SFTP - SSH File Transfer Protocol." The Logon Type will be "Normal" and the other details will be the standard SSH login information for the WiDirect.

Install Certificate

Once you get the certificate, copy it using Filezilla to the portal directory.

Move the certificate to the proper place:

su -
cd /home/portal/
mv wifi.mydomain.com.crt /etc/pki/tls/certs/wifi.mydomain.com.crt

Move the key:

mv wifi.mydomain.com.key /etc/pki/tls/private/wifi.mydomain.com.key

Sometimes you may also be given a bundle file. If so, move that as well:

mv gd_bundle.crt /etc/pki/tls/certs

You need to modify the ssl configuration file to use the bundle file if given one:

emacs /etc/httpd/conf.d/ssl.conf

Look for the three lines below in the file. They will be separated by comments

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

Change those lines as shown below. The third line can be left alone if no bundle file was provided.

SSLCertificateFile /etc/pki/tls/certs/wifi.mydomain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/wifi.mydomain.com.key
#SSLCACertificateFile /etc/pki/tls/certs/gd_bundle.crt

Then type "service httpd restart" to restart the web service. If there are any errors it is critical that they be fixed.


Preferences Page Changes

On the Preferences page on the WiDirect be sure to update the "Validation Public Web IP" option to be the domain you purchased the SSL certificate on. This entry will be used when the user needs to be redirected to a secure URL.