Skip to main content
Older versions of Internet Explorer will not support certain site features. Chrome, Safari, Firefox, and Edge will provide the best experience.
Spok

Smart Suite SSL Certificates

Overview
 
While not all sites require SSL Certificates for their web servers (including separate servers used just for eNotify), some do as to encrypt their traffic (in order to hide their Personal Profile login information, OnCall Assignment login information, viewing Patient data if that module is enabled, and so on).
 
With servers that will operate from behind a load balancer, the certificate goes on the load balancer.   The load balancer then answers the clients' requests for the certificate name as the common name, and both server long and short names as alternative names.
 
An alternate method to the following steps is included at the end of this article. 
 
Creating the Certificate Request 
 
1.     Connect to the customer’s server and create a temporary folder in /tmp as the root user.
 
2.     Navigate to that folder and run one of the following commands to create the server.key file:
 
For standard security: 
openssl genrsa -des3 -out server.key 2048
 
For higher security:

openssl genrsa -aes128 -out server.key 4096

In most cases the standard security option will work.  There have been instances where a customer will need a stronger RSA keyfile encryption.  An example of an error the customer might receive if additional security is needed would be, "The CSR uses a key that is believed to have been compromised!"  

This step will ask for a password.  The password can be anything you want as long as you remember it to be used in later steps.
 
3.     Next run the following command to generate the server.csr file:
 
openssl req -new -key server.key -out server.csr
 
When prompted, enter the password you created above.
 
4.     Answer the questions prompted using the following template OR match the previous enter values which can
        be checked by viewing the certificate in a web browser:
 
  • Country Name: US
  • State: Enter the state: (i.e. Minnesota)
  • Organization Name: Enter the name of the organization (i.e. Park Nicollet Health Services)
  • Organizational Unit: Enter the name of the organization (i.e. Park Nicollet Health Services)
  • Email Address: Enter a period only which will leave the field blank
  • Common Name: This is the name the customer wants the certificate to answer for (not necessarily -- or ideally not at all -- the server’s host name).
  • For example, Park Nicollet has a server name of spokwb.parknicollet.com but they want the certificate to answer for smartweb.parknicollet.com.  Therefore, the entry into the Common Name field would be smartweb.parknicollet.com
  • Challenge password: Enter a period only which will leave the field blank
  • Optional Company Name: Enter a period only which will leave the field blank
 
5.     Now remove the passphrase from the server.key file:
 
cp server.key server.key.org
 
openssl rsa -in server.key.org -out server.key.nopass
 
 
For example:
 
openssl rsa -in /opt/amcom/apache/conf/ssl.key/server.key -out /opt/amcom/apache/conf/ssl.key/server.key.nopass
 
Enter pass phrase for /opt/amcom/apache/conf/ssl.key/server.key:
writing RSA key
 
Re-name the new server.key.nopass to server.key
 
Obtain the CA-Signed Certificate
 
6.     Copy the newly created server.csr and server.key file off the server and email it to the customer.
They will use this file to generate the server.crt file that will need to be placed on the server.
 
Configure the server to use the new server.crt and server.key files
 
It is highly recommended to document the following steps and provide a Change Control to the customer.  
 
7.     Make a backup of the /opt/amcom/apache/conf/ssl.crt and /opt/amcom/apache/conf/ssl.key directories.
 
8.     Copy the server.key file from /tmp/<your directory you created in step 1> to /opt/amcom/apache/conf/ssl.key.
 
9.     Copy the server.crt file the customer sent you into the /opt/amcom/apache/conf/ssl.crt directory.
For 8.0-1 and below:
The customer may send the .crt file in .pem form.  The .pem formatted file includes the cert, CA, and chain certificates.  Simply rename the .pem file to server.crt. 
 
For 8.1 and above:

The customer may send the .crt file in .pem form. The .pem formatted file includes the cert, CA, chain certificates, and private key.

ORDS (Oracle REST Data Service) cannot use a full .pem file. Copy the .pem file to server.crt, then edit and remove the private key section from the .crt file.  This includes the '-----BEGIN RSA PRIVATE KEY-----' and '-----END RSA PRIVATE KEY-----' lines. 
                                
Additionally, ORDS requires a .der formatted private key file, so the server.key file used by apache, must be converted to .der format:
        cd /opt/amcom/apache/conf/ssl.key
    openssl pkcs8 -topk8 -inform PEM -outform DER -in server.key -out server.der -nocrypt

ORDS is the display service for APEX applications.
 

10.  Restart the amcom_httpd service.
 
5x: 
service amcom_httpd restart
 
 
7.x and 8.x:
systemctl restart amcom_httpd.service
 
 
11. For 8.1 and above, restart the ords-standalone service.

systemctl restart ords-standalone.service

a. Verify the ORDS restarted:
    systemctl status ords-standalone.service
                    Or
    journalctl -f -u ords-standalone.service

b. There will be a large amount of content; the key lines are:
    Feb 20 11:58:13 ss810app1 ords-standalone.sh[2791612]: 2024-02-20T17:58:13.017Z INFO        Oracle REST        Data Services initialized
    Feb 20 11:58:13 ss810app1 ords-standalone.sh[2791612]: Oracle REST Data Services version : 21.4.3.r1170405
    Feb 20 11:58:13 ss810app1 ords-standalone.sh[2791612]: Oracle REST Data Services server info:                            jetty/9.4.44.v20210927
    Feb 20 11:58:21 ss810app1 ords-standalone.sh[2791496]: Ords Standalone is ready

 
12.  Verify that the new certificate was applied.
 
Converting SSL Certs
 
PKCS#12/PFX Format
 
The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.
 
When converting a PFX file to PEM format, OpenSSL will put all the certificates and the private key into a single file. You will need to open the file in a text editor and copy each certificate and private key (including the BEGIN/END statments) to its own individual text file and save them as certificate.cer, CACert.cer, and privateKey.key respectively.
 
OpenSSL Commands to Convert SSL Certificates on Your Machine
 
It is highly recommended that you convert to and from .pfx files on your own machine using OpenSSL so you can keep the private key there. Use the following OpenSSL commands to convert SSL certificates to different formats on your own machine:
 
OpenSSL Convert PEM
Convert PEM to DER
 
openssl x509 -outform der -in certificate.pem -out certificate.der
 
Convert PEM to P7B
 
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer
 
Convert PEM to PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
 
OpenSSL Convert DER
Convert DER to PEM
 
openssl x509 -inform der -in certificate.cer -out certificate.pem
 
OpenSSL Convert P7B
Convert P7B to PEM
 
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
 
Convert P7B to PFX
 
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
 
OpenSSL Convert PFX
Convert PFX to PEM
 
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
 
Convert PEM to CRT
 
openssl x509 -inform pem -in cert_file_name.pem -out server.crt
 
If you need to convert a Java Keystore file to a different format, it is usually easier to create a new private key and certificates, but it is possible to convert a Java Keystore to PEM format.

 

Alternate Method

1.  Create a file that holds all your certificate settings 

  • [bash}$ vim csr_settings.txt 

[req] 
distinguished_name = req_distinguished_name 
req_extensions = v3_req 
prompt = no 
[req_distinguished_name] 
C = US 
ST = MN 
L = Eden Prairie 
O = Spok Inc 
OU = Smart Suite Support 
CN = spok-test-71.spok.com 

[v3_req] 
keyUsage = keyEncipherment, dataEncipherment 
extendedKeyUsage = serverAuth 
subjectAltName = @alt_names 

[alt_names] 
DNS.1 = spok-test-71.spok.com 
DNS.2 = spokwb1-71.spok.com 

2.  Run the following command to create a new cert and key, which is a self-signed cert based on the settings in the file.

  • [bash}$ openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout server.key -out server.crt -config csr_settings.txt -extensions 'v3_req' 

3.  Run the following to generate a CSR and key based on the settings file 

  • [bash}$ openssl req -new -out server.csr -newkey rsa:2048 -nodes -sha256 -keyout server.key -config csr_settings.txt 

 

 

 

 

 


KB39324