Versions Compared

Old Version 1

changes.mady.by.user Debesh Roy Chowdhury

Saved on

compared with

New Version Current

changes.mady.by.user JP Paez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added anchor to linux step 10: LinuxDevopsHttpsUpdate

...

  1. X.509:  An ITU-T standard based on the ASN.1 standard
  2. Public Key Cryptography Standard (PKCS):  a set of standards published by RSA
  3. Public Key Infrastructure (PKI):  Overall infrastructure based on public & private key cryptography (large prime numbers), usually includes services for issuing, signing, renewing, and revoking certificates
  4. Certificate Authority (CA):  a central authority (server) used to sign and issue certificates, usually public, ex: Verisign, Thawte, etc.
  5. Root CA:  Top-level CA, usually the cert for this is self-signed and the public cert is distributed and installed to all clients, the private keys for this are usually locked away in a secure offline location to prevent compromise
  6. Signing/Intermediate CA:  CA that is actually used to sign certificates
  7. Certificate Revocation List (CRL):  list of revoked certificates
  8. Online Certificate Status Protocol (OCSP):  protocol to detect if a certificate has been revoked
  9. .CSR (Certificate Signing Request):  file extension defining a certification request, it is what is presented to the signing-CA for signing to become a certificate, consists of three main parts: the certification request information, a signature algorithm identifier, and a digital signature on the certification request information, usually encoded in PKCS#10- a Base64 (plain-text) format,
  10. Certificate:  the public key of a server/client/user with accompanying meta-data signed by a trusted authority, used for authentication, also called an X.509 certificate as it defines the format of certificates.  Usually includes an expiration date.
  11. Wildcard certificate:  a certificate that allows any hostname under a specific domain name.  
  12. Subject Alternative Name (SAN):  An X.509 v3 extension allowing for alternative Fully Qualified Domain Names (FQDN)s/domains to be defined, ex: DNS:wikiversity.org, DNS:wikivoyage.org, DNS:wiktionary.org
  13. Full chain:  used to indicate that all certificates up to a root authority are available, ie: root-CA, signing/intermediate-CA, issued server/client/user certificate
  14. .DER (Distinguished Encoding Rules):  is a subset of the X.690 ITU-T standard specifying several ASN.1 encoding formats; also a file extension for certificates (usually binary encoded).  
  15. .PEM (Privacy-enhanced Electronic Mail):  certificate extension, Base64 (plain-text) encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
  16. .CER, .CRT (Certificate):  certificate extension, X.509 format usually or Base64 (plain-text).  
  17. .P7B, .P7C (PKCS#7):  bundled certificate extension, SignedData structure without data, just certificate(s) or CRL(s)
  18. .P12 (PKCS#12) / .PFX (Personal inFormation eXchange):  bundle of (usually full-chain) certificate(s) (public) and private keys (password protected); PFX was a MS IIS standard that was the precursor to P12.  
  19. .JKS (Java Key Store):  Java key store (repository) and extension used to store private keys, public keys, and certificates, created by Java’s keytool binary

...

Linux RHEL/

...

Alma 8

1. Obtain full-chained cert, ie: root/signing CA + intermediate + issued cert (+ private key?) ( (info) Note, you may need to create a CSR via openssl or Java keytool and submit it to your CA / IT security admin).  

...

Code Block
languagebash
themeRDark
sudo sed -i.bak 's#include "silhouette.conf"#include "HTTPS.conf"\ninclude "silhouette.conf"#' /opt/icx/syndeia-cloud-current/web-gateway-3.5-SP16/conf/application.conf

7.  On the Syndeia Cloud server, create a new HTTPS.conf file in the web-gateway service's conf/ directory with the following settings to enable TLS/SSL, where <keystorePW> = the keystore password created in the previous step, ie:

...

(info)  If you've updated firewalld too, use: sudo firewall-cmd --reload && systemctl restart sc-web-gateway

Anchor
LinuxDevopsHttpsUpdate
LinuxDevopsHttpsUpdate
10. Update the web-gateway entry in the lagom.services section of /opt/icx/syndeia-cloud-current/devops-.../conf/application.conf section to specify the external URL and HTTPS port (replace host.domain.tld with your FQDN):  

...

Code Block
languagebash
themeRDark
sed -i.bak 's#include "silhouette.conf"#include "HTTPS.conf"\ninclude "silhouette.conf"#' /opt/icx/syndeia-cloud-current/web-gateway-3.5-SP16/conf/application.conf

7.  On the Syndeia Cloud server, create a new HTTPS.conf file in the web-gateway service's conf/ directory with the following settings to enable TLS/SSL, where <keystorePW> = the keystore password created in the previous step, ie:

...