Handover Documentation

Version 0.1

Stuff your users don't care to know about.

SSL Certificates

How to generate DIRISA SSL Certificate

With the enterprise license issued to TENET by Comodo, DIRISA can issue and manage its own certificate. At the time of writing, Claude, Cheewai and Schalk can log in to the Comodo Certificate Manager (CCM) web site.

HAProxy requires SSL certificate file format which is different from Apache and nginx.

To request for a new certificate

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=ZA
ST=GAU
L=Pretoria
O=CSIR
OU=DIRISA
emailAddress=cheewai.lai@gmail.com
CN = dirisa.ac.za

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = icat.dirisa.ac.za
DNS.2 = irods.dirisa.ac.za
DNS.3 = ldap.dirisa.ac.za
  • Generate CSR
openssl req -new -sha256 -nodes -out icat.dirisa.ac.za.csr \
-newkey rsa:2048 -keyout icat.dirisa.ac.za.key -config <( cat csr.txt )
  • Output icat.dirisa.ac.za.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIDITCCAgkCAQAwgYUxCzAJBgNVBAYTAlpBMQwwCgYDVQQIDANHQVUxETAPBgNV
BAcMCFByZXRvcmlhMQ0wCwYDVQQKDARDU0lSMQ8wDQYDVQQLDAZESVJJU0ExHjAc
BgkqhkiG9w0BCQEWD2NsYWlAY3Npci5jby56YTEVMBMGA1UEAwwMZGlyaXNhLmFj
LnphMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnb40GlzyQ+EJ4xQX
vXLxGlcO9MtTJn+Ny0TZQ/UK/bwizemVUyXP96vURWPUHIUMB1yUgzGppiv28Fcl
b5APQckZ0DyM4J9vdC4pHixCv+PCpsedBsCUA8aB/LjBM8iooT7LoKOtSTzvWVaf
HJsjhOwSJuzahmOGyTrYSLJTtR+8EhiP2aID2dWQL37/6AX7jWCxItSh3iT4Tuxp
uZ3QC0MChrXwScM6XeFgMY2OoIU8uvvlk7wx5b8U9rMlV1v8xiH8RbBtj93lJx87
p93uWe8GPfyMizz1MVklyiz6rI0JlkLPLPwb460S1i8v2NfDZSMdGJz40bEMePSc
uuMUZwIDAQABoFYwVAYJKoZIhvcNAQkOMUcwRTBDBgNVHREEPDA6ghFpY2F0LmRp
cmlzYS5hYy56YYISaXJvZHMuZGlyaXNhLmFjLnphghFsZGFwLmRpcmlzYS5hYy56
YTANBgkqhkiG9w0BAQsFAAOCAQEARiNR7s6bYx+ZHd4Fpz2DcVb4O1paLBuzpne8
A7KTEy8fNwwpnReq/FanWNkFQSfRbJcEdmYtCkBJvcYhjEwFeW/KmHvgDMyQ5oZY
egm/UlG3XXOn2o41w6xYTHjTNhxCrhmJxJplIs+Exy+O9l4bsD4tfyTHlXII9pA+
YeGQjKpXPfZoJHXtg872eJHYqBHrSNHOgiByQAW/rLrHvyBgF9sCPNe3p+q5tLyZ
UtNz0EhVmRUxzhDAA0PwugohMnFj/0UxhcalAUZi0NVXW2iDVxI/GCyvntXlDSpl
I7CPC/yNQsDPT2nNKHHJ37OXvukbqIu9f1iS4Z9xf8E9JcUR6w==
-----END CERTIFICATE REQUEST-----
  • Output icat.dirisa.ac.za.key
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCdvjQaXPJD4Qnj
FBe9cvEaVw70y1Mmf43LRNlD9Qr9vCLN6ZVTJc/3q9RFY9QchQwHXJSDMammK/bw
VyVvkA9ByRnQPIzgn290LikeLEK/48Kmx50GwJQDxoH8uMEzyKihPsugo61JPO9Z
Vp8cmyOE7BIm7NqGY4bJOthIslO1H7wSGI/ZogPZ1ZAvfv/oBfuNYLEi1KHeJPhO
7Gm5ndALQwKGtfBJwzpd4WAxjY6ghTy6++WTvDHlvxT2syVXW/zGIfxFsG2P3eUn
Hzun3e5Z7wY9/IyLPPUxWSXKLPqsjQmWQs8s/BvjrRLWLy/Y18NlIx0YnPjRsQx4
9Jy64xRnAgMBAAECggEAZR15lLSj73MfvVox5ZT6jGHmCnETegglwnj9tJwtUXz5
6nii6cvBRgf1aA2X+Dgo/8cOxBJfp09jWajjLGJyBT99tog53fsVnKnCXb8Ngqfj
LLmkJKHpv4nN5UwhPKqRvdrc+Loy6FGRM/lcwR+JYzlYYW9OnPrLec6oueDl26Hc
Oh2kH+33NN8/yj8BAkHBrZXDHSxWUe1ytInwSGz4rdM4TMH2vteusvFMbrJ+M7dH
je2OZKIj65JV7EGYdub68KZXGYLHqIcbzM488gxx9jghzceGDmrbIufpy4bScQMG
ehwGtZIM/FSuwCQ8UaplChUVR8yQZGGjvE943e6ToQKBgQDRWQOdGEN15uR5zj41
rGPYYa9/lFVhE2qN0YnRQqf1SKAXEo1I8vgH7x6RXrjxoFZuNwxc2ocoUWGxSfZx
NK3e3ovZ5gidxn1yLN5NfG45H35WBfzc4u86mNaYNfEnseuX5iF/3Uy/Ll2JJ4kX
QvfTglMI8TMTplSASF16Vs1L+QKBgQDA5Ta+MWWg6GJwpObG70LncYGJMRhIiqW3
tdijr+38n+1DYALZ0KeZkoHT22epv2WYI6WmqsxXwJ3HhiE8DFsbs3CyEOmOdyea
soePEXsElve5/mRnwEiAzcBHYcw5A7BzOpouYgXOIruWFYrg3U1BW2VbJCX5AUcS
iKNjSx27XwKBgD3UaHjRXbtIwlonS8BWdfbGgyrPCJhvP507MdUYNrr/BClMVWYi
PJc7TG/q5fyXOm+62m/iKuEBiDTwf1TYFjIo0G0+v3S51vsNvWptQbClWI7XneMv
MzC/S0IRTHRI3Cg009gL6EreysljX9367W8Ooq+VbVx0V6i7tsAXOvMhAoGAWi7P
2Tve98utulxeSMOz0+ENXsbFQ6UOtUUfc+fcrC9ZDhblPlB/Cx2j9Riu7n29UdPY
roNL5fr3yUC8aQad0eWi2p1tlF3A9mJhXlId4ZdzWlHFP3x2aUHIk5b1k/JVnInZ
a7YIYMd8TD7mHxtX8yZ3zJSp7DDcuZ2IRfPogqECgYEAs5WXq4a3kwKKzPo1WvIQ
TztcVZzEvAEnV2bpzGK2c7oEUS/dEDBpoIW6wHK+gM7RXqmaNVNbZJg4bpxN4Esk
wpLdpyFLz1AcqmICSUL5eyGdXrXNzCtT2QaiVsMxpSERbgaC3m06Ignl36NzHajS
KQ2sCpjc7QnLPD/sOo5M+NE=
-----END PRIVATE KEY-----
  • Log in to CCM

  • If DCV has expired, go to Settings - Domains - DCV to revalidate using the DNS method

  • Submit CSR

    • CSR will be rejected if DCV has expired
  • Once approved, confirmation email provides the following:

    * Click the following link to download your SSL certificate

        Format(s) most suitable for your server software:
       as X509, Base64 encoded: https://hard.cert-manager.com/customer/TENET/ssl?action=download&sslId=710556&format=x509 

    Other available formats:
       as PKCS#7 Base64 encoded: https://hard.cert-manager.com/customer/TENET/ssl?action=download&sslId=710556&format=base64 
       as PKCS#7 Bin encoded: https://hard.cert-manager.com/customer/TENET/ssl?action=download&sslId=710556&format=bin 
       as X509 Certificate only, Base64 encoded: https://hard.cert-manager.com/customer/TENET/ssl?action=download&sslId=710556&format=x509CO 
       as X509 Intermediates/root only, Base64 encoded: https://hard.cert-manager.com/customer/TENET/ssl?action=download&sslId=710556&format=x509IO 
       as X509 Intermediates/root only Reverse, Base64 encoded: https://hard.cert-manager.com/customer/TENET/ssl?action=download&sslId=710556&format=x509IOR 


    * Import your new certificate into your server (Please contact your administrator for help with this).

    * Your renew id: 84DLSgB08DuRtpsHV2AI

Certificate Details:
    Common Name :  dirisa.ac.za
    Subject Alternative Names : icat.dirisa.ac.za, irods.dirisa.ac.za, ldap.dirisa.ac.za
    Number of licenses : 
    SSL Type :     Multi-Domain Instant SSL Certificate
    Term :         2 Year(s)
    Server :       OTHER
    Requested :    08/01/2019 12:03 GMT
    Approved :     08/01/2019 12:03 GMT
    Expires :      07/01/2021 23:59 GMT
    Order Number : 198116199
    Self-Enrollment Certificate ID : 710556
    Comments :     
  • For HAProxy, save the following output from CCM:

    • X509 Certificate only
    • X509 Root/Intermediate(s)
    • Concatenate the above output (in exact order as above) and append the same private key used to create the CSR that is submitted to CCM, save it as dirisa.ac.za.pem. WARNING: The certificate file lacks a final newline so you need to edit the concatenated output to ensure that all BEGIN/END markers are in their own lines. Validate using openssl x509 -noout -subject -issuer -in dirisa.ac.za.pem
  • For iRODS, save X509, Base64 encoded (???)

DIRISA load-balancer setup

Refer to Git repo https://gitlab.com/dirisa/dirisa-loadbalancer

Last updated on 29 Mar 2019 / Published on 29 Mar 2019
Edit on GitHub