TLS/SSL is used to securely communicate between the server and the client by using a combination of a public SSL certificate and a private SSL key. The SSL key is stored securely and confidentially on the server. This SSL key is used to encrypt the data that is sent to the client. The SSL certificate is publicly shared with the client system which is requesting the data. This SSL certificate is used by the client to decrypt the data signed by the associated SSL key.
Prerequisites
To generate the self-signed SSL certificates, the
crypto-utils
package must be installed in your system. To install this package, run the following command as the root user:
yum install crypto-utils
Procedure
-
To create the
private
and
certs
directories, run the following command:
mkdir -p /var/nps/platform/api/ssl/private \
/var/nps/platform/api/ssl/certs
-
To generate a self-signed SSL certificate and key pair using OpenSSL, run the following command as the root user:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /var/nps/platform/api/ssl/private/nps.key \
-out /var/nps/platform/api/ssl/certs/nps.crt
The description of the arguments in this command is as follows:
req: This argument specifies that the X.509 certificate signing request (CSR) management must be used. The "X.509" is a public key infrastructure standard that both SSL and TLS adhere to for its key and certificate management.
x509: This argument further modifies the
req
argument. This argument instructs the OpenSSL utility to generate a self-signed SSL certificate instead of generating a certificate-signing request.
nodes: This argument instructs the OpenSSL utility to skip the passphrase option for securing the SSL certificate. Because, when the server starts up, the Apache server must read the file without user intervention. If the passphrase option is used, the user must enter the passphrase after every server restart.
days: This argument specifies the validity period of the SSL certificate. In this example, the validity period is set to 365 days.
newkey rsa:2048: This argument instructs the OpenSSL utility to generate a new SSL certificate and a new SSL key concurrently. The "rsa:2048" value instructs the utility to generate an RSA key that has a length of 2048 bits.
keyout: This argument specifies the location for creating the SSL key file. In this example, the SSL key (nps.key
) is created in the
/var/nps/platform/api/ssl/private
directory.
out: This argument specifies the location for creating the SSL certificate file. In this example, the SSL certificate (nps.crt
) is created in the
/var/nps/platform/api/ssl/certs
directory.
-
When prompted, enter the required information as follows:
IMPORTANT: In the
Common Name (for example, server FQDN or YOUR name)
prompt, ensure that you enter the correct domain name of your server, which is set as the NPS toolkit host name in the earlier steps.
Output
Country Name (2 letter code) [AU]: <Two letter code of your country>
State or Province Name (full name):
<Full name of your state or province>
Locality Name (eg, city) []: <Full name of your location>
Organization Name (eg, company): <Full name of your organization>
Organizational Unit Name (eg, section) []:
<Full name of your unit, section, or group>
Common Name (e.g. server FQDN or YOUR name) []:
<Domain name of your server or the public IP address of your server>
Email Address []: <your email address>
-
To create a strong Diffie-Hellman (DH) group, which is used for negotiating Perfect Forward Secrecy with the clients, run the following command:
openssl dhparam -out /var/nps/platform/api/ssl/certs/dhparam.pem 2048
The
out
argument specifies the location for creating the DH parameter file. In this example, the DH parameter file (dhparam.pem
) is created in the
/var/nps/platform/api/ssl/certs
directory.