Generating self-signed SSL certificates for NPS toolkit Web API server

TLS/SSL is used to securely communicate between the server and the client by using a combination of a public SSL certificate and a private SSL key. The SSL key is stored securely and confidentially on the server. This SSL key is used to encrypt the data that is sent to the client. The SSL certificate is publicly shared with the client system which is requesting the data. This SSL certificate is used by the client to decrypt the data signed by the associated SSL key.

Prerequisites
To generate the self-signed SSL certificates, the crypto-utils package must be installed in your system. To install this package, run the following command as the root user:
yum install crypto-utils
Procedure
  1. To create the private and certs directories, run the following command:
    mkdir -p /var/nps/platform/api/ssl/private \
    /var/nps/platform/api/ssl/certs
  2. To generate a self-signed SSL certificate and key pair using OpenSSL, run the following command as the root user:
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -keyout /var/nps/platform/api/ssl/private/nps.key \
    -out /var/nps/platform/api/ssl/certs/nps.crt

    The description of the arguments in this command is as follows:

    • req: This argument specifies that the X.509 certificate signing request (CSR) management must be used. The "X.509" is a public key infrastructure standard that both SSL and TLS adhere to for its key and certificate management.

    • x509: This argument further modifies the req argument. This argument instructs the OpenSSL utility to generate a self-signed SSL certificate instead of generating a certificate-signing request.

    • nodes: This argument instructs the OpenSSL utility to skip the passphrase option for securing the SSL certificate. Because, when the server starts up, the Apache server must read the file without user intervention. If the passphrase option is used, the user must enter the passphrase after every server restart.

    • days: This argument specifies the validity period of the SSL certificate. In this example, the validity period is set to 365 days.

    • newkey rsa:2048: This argument instructs the OpenSSL utility to generate a new SSL certificate and a new SSL key concurrently. The "rsa:2048" value instructs the utility to generate an RSA key that has a length of 2048 bits.

    • keyout: This argument specifies the location for creating the SSL key file. In this example, the SSL key (nps.key) is created in the /var/nps/platform/api/ssl/private directory.

    • out: This argument specifies the location for creating the SSL certificate file. In this example, the SSL certificate (nps.crt) is created in the /var/nps/platform/api/ssl/certs directory.

  3. When prompted, enter the required information as follows:
    IMPORTANT:

    In the Common Name (for example, server FQDN or YOUR name) prompt, ensure that you enter the correct domain name of your server, which is set as the NPS toolkit host name in the earlier steps.

    Output
    Country Name (2 letter code) [AU]: <Two letter code of your country>
    State or Province Name (full name): 
    <Full name of your state or province>
    Locality Name (eg, city) []: <Full name of your location>
    Organization Name (eg, company): <Full name of your organization>
    Organizational Unit Name (eg, section) []: 
    <Full name of your unit, section, or group>
    Common Name (e.g. server FQDN or YOUR name) []: 
    <Domain name of your server or the public IP address of your server>
    Email Address []: <your email address>
  4. To create a strong Diffie-Hellman (DH) group, which is used for negotiating Perfect Forward Secrecy with the clients, run the following command:
    openssl dhparam -out /var/nps/platform/api/ssl/certs/dhparam.pem 2048

    The out argument specifies the location for creating the DH parameter file. In this example, the DH parameter file (dhparam.pem) is created in the /var/nps/platform/api/ssl/certs directory.