Smart Suite SSL Certificates
Overview
Creating the Certificate Request
openssl genrsa -aes128 -out server.key 4096
In most cases the standard security option will work. There have been instances where a customer will need a stronger RSA keyfile encryption. An example of an error the customer might receive if additional security is needed would be, "The CSR uses a key that is believed to have been compromised!"
be checked by viewing the certificate in a web browser:
- Country Name: US
- State: Enter the state: (i.e. Minnesota)
- Organization Name: Enter the name of the organization (i.e. Park Nicollet Health Services)
- Organizational Unit: Enter the name of the organization (i.e. Park Nicollet Health Services)
- Email Address: Enter a period only which will leave the field blank
- Common Name: This is the name the customer wants the certificate to answer for (not necessarily -- or ideally not at all -- the server’s host name).
- For example, Park Nicollet has a server name of spokwb.parknicollet.com but they want the certificate to answer for smartweb.parknicollet.com. Therefore, the entry into the Common Name field would be smartweb.parknicollet.com
- Challenge password: Enter a period only which will leave the field blank
- Optional Company Name: Enter a period only which will leave the field blank
openssl rsa -in /opt/amcom/apache/conf/ssl.key/server.key -out /opt/amcom/apache/conf/ssl.key/server.key.nopass
Obtain the CA-Signed Certificate
Configure the server to use the new server.crt and server.key files
The customer may send the .crt file in .pem form. The .pem formatted file includes the cert, CA, chain certificates, and private key.
ORDS (Oracle REST Data Service) cannot use a full .pem file. Copy the .pem file to server.crt, then edit and remove the private key section from the .crt file. This includes the '-----BEGIN RSA PRIVATE KEY-----' and '-----END RSA PRIVATE KEY-----' lines.
Additionally, ORDS requires a .der formatted private key file, so the server.key file used by apache, must be converted to .der format:
cd /opt/amcom/apache/conf/ssl.key
openssl pkcs8 -topk8 -inform PEM -outform DER -in server.key -out server.der -nocrypt
ORDS is the display service for APEX applications.
systemctl restart ords-standalone.service
a. Verify the ORDS restarted:
systemctl status ords-standalone.service
Or
journalctl -f -u ords-standalone.service
b. There will be a large amount of content; the key lines are:
Feb 20 11:58:13 ss810app1 ords-standalone.sh[2791612]: 2024-02-20T17:58:13.017Z INFO Oracle REST Data Services initialized
Feb 20 11:58:13 ss810app1 ords-standalone.sh[2791612]: Oracle REST Data Services version : 21.4.3.r1170405
Feb 20 11:58:13 ss810app1 ords-standalone.sh[2791612]: Oracle REST Data Services server info: jetty/9.4.44.v20210927
Feb 20 11:58:21 ss810app1 ords-standalone.sh[2791496]: Ords Standalone is ready
Converting SSL Certs
Alternate Method
1. Create a file that holds all your certificate settings
- [bash}$ vim csr_settings.txt
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = MN
L = Eden Prairie
O = Spok Inc
OU = Smart Suite Support
CN = spok-test-71.spok.com
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = spok-test-71.spok.com
DNS.2 = spokwb1-71.spok.com
2. Run the following command to create a new cert and key, which is a self-signed cert based on the settings in the file.
- [bash}$ openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout server.key -out server.crt -config csr_settings.txt -extensions 'v3_req'
3. Run the following to generate a CSR and key based on the settings file
- [bash}$ openssl req -new -out server.csr -newkey rsa:2048 -nodes -sha256 -keyout server.key -config csr_settings.txt