WiDirect Command Line SSL Configuration

From WiDirect
Jump to: navigation, search

Generate Key and CSR

Login to the WiDirect over SSH using username portal.

First you will create the key file, and then the certificate signing request from that key file. The instructions below use wifi.mydomain.com. Change that entry to be your desired domain name.

First generate key file:

su -
cd /home/portal/
openssl genrsa -out wifi.mydomain.com.key 2048

Generate CSR:

openssl req -new -key wifi.mydomain.com.key -out wifi.mydomain.com.csr

Answer all the questions when prompted. It is important when asked for the "Common Name" that you enter the exact domain you will be using for your WiDirect. Depending on the level of certificate you are requesting some of the other information may need to match the domain's information as well.

A self-signed certificate may be generated if you would like to use the new key immediately before getting the certificate from a 3rd party. If you would like to wait to install the certificate until the process is complete this step may be skipped. To self-sign the key the following command may be used:

openssl req -new -x509 -nodes -sha1 -days 365 -key wifi.mydomain.com.key > wifi.mydomain.com.crt

To get a certificate from a 3rd party you will need to copy the CSR file from the WiDirect. You can view the CSR file with the following command:

cat wifi.mydomain.com.csr

The entire contents of that file should be sent to your SSL provider, including the lines with BEGIN and END. Example certificate request:


The file can also be downloaded from the WiDirect using a secure FTP program, such as Filezilla. When using Filezilla be sure to add a new site in the Site Manager, and set the protocol to "SFTP - SSH File Transfer Protocol." The Logon Type will be "Normal" and the other details will be the standard SSH login information for the WiDirect.

Install Certificate

Once you get the certificate, copy it using Filezilla to the portal directory.

Move the certificate to the proper place:

su -
cd /home/portal/
mv wifi.mydomain.com.crt /etc/pki/tls/certs/wifi.mydomain.com.crt

Move the key:

mv wifi.mydomain.com.key /etc/pki/tls/private/wifi.mydomain.com.key

Sometimes you may also be given a bundle file. If so, move that as well:

mv gd_bundle.crt /etc/pki/tls/certs

You need to modify the ssl configuration file to use the bundle file if given one:

emacs /etc/httpd/conf.d/ssl.conf

Look for the three lines below in the file. They will be separated by comments

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

Change those lines as shown below. The third line can be left alone if no bundle file was provided.

SSLCertificateFile /etc/pki/tls/certs/wifi.mydomain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/wifi.mydomain.com.key
#SSLCACertificateFile /etc/pki/tls/certs/gd_bundle.crt

Then type "service httpd restart" to restart the web service. If there are any errors it is critical that they be fixed.

Preferences Page Changes

On the Preferences page on the WiDirect be sure to update the "Validation Public Web IP" option to be the domain you purchased the SSL certificate on. This entry will be used when the user needs to be redirected to a secure URL.