Versions Compared

Old Version 8

changes.mady.by.user W.Erber

Saved on

compared with

New Version 9

changes.mady.by.user W.Erber

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Update self-signed certificate creation to new method

...

When connecting to the VE license server web-based management GUI for the first time, the web browser will issue a NET::ERR_CERT_AUTHORITY_INVALID warning and inform the user that the connection is not private. This is due to the fact that Stromasys, when creating the installation kit, cannot foresee the actual customer environment. Thus, the SSL certificate included with the license server kit includes a dummy hostname that does not match the real hostname of the customer license server system, and it also contains Stromasys as the certificate authority which is unknown to web-browsers by default.

It is possible to override the warning and connect to the page. Otherwise, users must

  • either obtain a certificate for the host from one of the commercial certification authorities, or
  • they must create their own self-signed certificate and add it to the web browser.

The new certificates replace the certificates server.pem certificate in /opt/license-server/certs (move the old certificates certificate to a save place).

Steps to create a self-signed certificate:

  • Log in as the root user.
  • Stop the license server (# systemctl stop licensed)
  • Go to /opt/license-server/certs.
  • Move the existing content of the directory to a backup directory.

  • Create a root certificate (each command must be entered on one command-line - irrespective of necessary line breaks in this document):

    # openssl genrsa -out ca.key.pem 2048
    # openssl req -new -key ca.key.pem -out ca.csr -subj "/C=CN/ST=GD/O=STROMASYS/OU=LICENSE/CN=STROMASYS.COM"
    # openssl x509 -req -days 7300 -sha256 -extensions v3_ca -signkey ca.key.pem -in ca.csr -out ca.cer

  • Create a server certificate (each command must be entered on one command-line - irrespective of necessary line breaks in this document):

    # openssl genrsa -out servercert.key.pem 2048
    # openssl req -new -key servercert.key.pem -out servercert.csr -subj "/C=CN/ST=GD/O=STROMASYS/OU=LICENSE/CN=hostname.domain"
    # openssl x509 -req -extfile <(printf "subjectAltName=DNS:hostname.domain,DNS:hostname.domain")
       -days 7300 -sha256 -CA ca.cer -CAkey ca.key.pem -CAserial ca.srl -CAcreateserial -in servercert.csr -out servercert.cer

    Replace hostname.domain with the real name of the VE license server system.

  • Create the combined server certificate for the license server:
    # cp servercert.cer server.pem
    # cat servercert.key.pem >> server.pem
  • Restart the license server (# systemctl start licensed)

  • Import the root CA (ca.cer) into your browser’s Trusted Root Certification Authorities Certificate Store.

...