CMX 10.5 SSL certificate installation procedure
Available Languages
Contents
Introduction
This article will give an example on how to get a free SSL certificate and the way to install it on CMX. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- A domain name which can be resolved externally
- Basic linux skills
- Basic knowledge of PKI (Public Key Infrastracture)
Components Used
The information in this document is based on these software and hardware versions:
- CMX 10.5
Prepare and backup
Web certificate is located in the following folder:
[root@cmxtry ssl]# pwd /opt/haproxy/ssl
Backup the old certificate and key:
[cmxadmin@cmxtry ssl]$cd /opt/haproxy/ssl/ [cmxadmin@cmxtry ssl]$su root Password: (enter root password) [root@cmxtry ssl]# mkdir ./oldcert [root@cmxtry ssl]# mv host.* ./oldcert/ [root@cmxtry ssl]# ls ./oldcert/ host.key host.pem
In case you are not very familiar with Linux, the above commands can be interpreted in the following way:
[cmxadmin@cmxtry ssl]$cd /opt/haproxy/ssl/ [cmxadmin@cmxtry ssl]$su root Password: (enter root password) [root@cmxtry ssl]# mkdir /opt/haproxy/ssl/oldcert [root@cmxtry ssl]# mv host.pem /opt/haproxy/ssl/oldcert/ [root@cmxtry ssl]# mv host.key /opt/haproxy/ssl/oldcert/ [root@cmxtry ssl]# ls /opt/haproxy/ssl/oldcert/ host.key host.pem
Configure
Generate a private key:
openssl genrsa -out cmxtry.com.key 2048
[root@cmxtry ssl]# openssl genrsa -out cmxtry.com.key 2048 Generating RSA private key, 2048 bit long modulus ............ ............... e is 65537 (0x10001) [root@cmxtry ssl]# ls cmxtry.com.key oldcert
Generate a CSR (Certificate Sign requests) using the private you key generated in the previous step.
[root@cmxtry ssl]# openssl req -new -sha256 -key cmxtry.com.key -out cmxtry.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:BE State or Province Name (full name) [Some-State]: Locality Name (eg, city) []:DIEGEM Organization Name (eg, company) [Internet Widgits Pty Ltd]:CMXTRY Organizational Unit Name (eg, section) []:CMXTRY Common Name (e.g. server FQDN or YOUR name) []:cmxtry.com Email Address []:avitosin@cisco.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:Cisco123 An optional company name []:CMXTRY [root@cmxtry ssl]# ls cmxtry.com.csr cmxtry.com.key oldcert
Display the CSR:
[root@cmxtry ssl]# cat cmxtry.com.csr -----BEGIN CERTIFICATE REQUEST----- MIIDZTCCAk0CAQAwgY0xCzAJBgNVBAYTAkJFMRMwEQYDVQQIDApTb21lLVN0YXRl MQ8wDQYDVQQHDAZESUVHRU0xDzANBgNVBAoMBkNNWFRSWTEPMA0GA1UECwwGQ01Y VFJZMRMwEQYDVQQDDApjbXh0cnkuY29tMSEwHwYJKoZIhvcNAQkBFhJhdml0b3Np bkBjaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkEIg0 AxV/3HxAxUu7UI/LxkTP+DZJvvuua1WgyQ+tlD4r1+k1Wv1eINCJqywglCKt9vVg aiYp4JAKL28TV7rtSKqNFnWDMtTKoYRkYWI3L48r9Mu9Tt3zDCG09ygnQFi6SnmX VmKx7Ct/wIkkBXfkq1nq4vqosCry8SToS1PThX/KSuwIF6w2aKj1Fbrw3eW4XJxc 5hoQFrSsquqmbi5IZWgH/zMZUZTdWYvFc/h50PCBJsAa9HTY0sgUe/nyjHdt+V/l alNSh41jsrulhWiPzqbaPW/Fej9/5gtPG5LReWuS20ulAnso4tdcST1vVletoXJw F58S8AqeVrcOV9SnAgMBAAGggZEwFQYJKoZIhvcNAQkCMQgMBkNNWFRSWTAXBgkq hkiG9w0BCQcxCgwIQ2lzY28xMjMwXwYJKoZIhvcNAQkOMVIwUDAJBgNVHRMEAjAA MBcGA1UdEQQQMA6CDF9fSE9TVE5BTUVfXzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI KwYBBQUHAwIwCwYDVR0PBAQDAgOoMA0GCSqGSIb3DQEBCwUAA4IBAQCBslfRzbiw WBBBN74aWm6YwkO0YexpR2yCrQhcOsxWTujPVvzNP9WaDNxu1rw6o3iZclGi6D61 qFsKtchQhnclvOj7rNI8TInaxIorR2zMy0lF2vtJmvY4YQFso9qzmuaxkmttEMFU Fj0bxKh6SpvxePh6+BDcwt+kQExK5aF3Q6cRIMyKBS2+I5J5eddJ0cdIqTfwZOGD 5dMDWqHGd7IZyrend8AMPZvNKm3Sbx11Uq+A/fa7f9JZE0O2Q9h3sl3hj3QIPU6s w1Pyd66/OX04yYIvMyjJ8xpJGigNWBOvQ+GLvK0ce441h2u2oIoPe60sDOYldL+X JsnSbefiJ4Fe -----END CERTIFICATE REQUEST-----
Copy the CSR (include the beginning of certificate request line and end of certificate request line).
In case of my lab, I was using the free certificate from Comodo (https://www.instantssl.com/)
You paste the CSR in the window and select RedHat as software used to generate the CSR:
You have to validate the domain using either an e-mail address or other ways to validate the domain, such as DNS CNAME entry.
When you did complete the process of validation, you will be able to download a certificate from here:
When you download the certificate, you have to upload it to CMX box:
[ avitosin > ~/Desktop/cmxtry_com ] ls cmxtry_com.ca-bundle cmxtry_com.crt [ avitosin > ~/Desktop/cmxtry_com ] scp ./* cmxadmin@cmxtry.com:/home/cmxadmin Warning: the ECDSA host key for 'cmxtry.com' differs from the key for the IP address '64.103.12.134' Offending key for IP in /Users/avitosin/.ssh/known_hosts:8 Matching host key in /Users/avitosin/.ssh/known_hosts:10 Are you sure you want to continue connecting (yes/no)? yes cmxadmin@cmxtry.com's password: /etc/profile.d/lang.sh: line 19: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory cmxtry_com.ca-bundle 100% 4103 4.0KB/s 00:00 cmxtry_com.crt 100% 2236 2.2KB/s 00:00 [ avitosin > ~/Desktop/cmxtry_com ]
Verify the certificates
Verify that the certificate was successfully copied to CMX:
[root@cmxtry ssl]# cd /home/cmxadmin/ [root@cmxtry cmxadmin]# ls cmxtry_com.ca-bundle cmxtry_com.crt [root@cmxtry cmxadmin]#
Public certificate:
[root@cmxtry cmxadmin]# cat cmxtry_com.crt -----BEGIN CERTIFICATE----- MIIGRzCCBS+gAwIBAgIRALKbdelOe0O7sSYMBFBhFPwwDQYJKoZIhvcNAQELBQAw gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg Q0EwHhcNMTgwODA4MDAwMDAwWhcNMTgxMTA2MjM1OTU5WjBLMSEwHwYDVQQLExhE b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxETAPBgNVBAsTCEZyZWUgU1NMMRMwEQYD VQQDEwpjbXh0cnkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA oVRQ9cBGBNbcIIiVovDXUw0TRXjrCplro9bx22kGAnJPNenymETTdJ4m+7Rs19BI ob09Wqo4CKWCxgdViJWQDohfGbElvdELcOD7+HgZroYHoY24wzU+q2WCFW9z3Dca RZMJagjsXPZ5XhACvlKb+lNoYTgTkf0xVAnNphTGgtOGNaQ/PHqX9ITC4iwTmFWD UEZR/SIwb5MjIQZsMGi5cW7q4STKrydFVDXmJzNySK2hq9s9yc8cBN2Lp2HJsaA4 qtQb1KWOLnzVxUaAMVN+sObVvYV/sOmJLtFvKKU9Pg2cuSo2LhPBVtTpdbHkSDuz NlWHhYC9Uxu2+wwvTwGjQQIDAQABo4IC3jCCAtowHwYDVR0jBBgwFoAUkK9qOpRa C9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFPvwN4lSs4oKd5AaG+j6xhDEtfL7MA4G A1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUH AgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBUBgNV HR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FE b21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEFBQcBAQR5 MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JT QURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGG GGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAlBgNVHREEHjAcggpjbXh0cnkuY29t gg53d3cuY214dHJ5LmNvbTCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AO5Lvbd1 zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAABZRmIfAUAAAQDAEYwRAIgdU0n octPP7c7dR3MSMq2NQDA1rgP1hSGtB4qkectDp4CIBHBdS9cuu6Pwjb9OAHtKIDh BGFm51btA2NflzDLKmpVAHYA23Sv7ssp7LH+yj5xbSzluaq7NveEcYPHXZ1PN7Yf v2QAAAFlGYh7cwAABAMARzBFAiBDUjKNvINiwH1hgA+4Oipjhv7oGxLEsDiz+e7j /oa3qQIhAKoTXC41fbcAZSH3zWE/LBYthUkA4qaP3Q2en7QanEv7MA0GCSqGSIb3 DQEBCwUAA4IBAQAwoZfOdE1QuzJqssnAWxoI2uTc9R15clVq3X7qiYLv3ItijFUL stuKQXf7VqYqKHcjX8Ue5TMfcJYNlRc5Knj3r6fusLuaO33W++g3TDnQuN/CT5Y4 nrgor7UsquZHGoY6RHh2ZDA53Ep80YtsO36eLN8qkDB/OvxqJmYj9URTLfWRqfhh sGE1odIjW4lbSka+CR09DlBkhzOTqDCnWcKicn/kSfJexKVs0LRrNXfvUEdbPohl plPeiyKMXUtV2Q67UwiYpC9JzkG8a09q5JdUL4Le/xn0gvz4jq+2rtHnNctg6ShD laqU7wA5HRag2zJsIK/d2Agymk8u3AypzW4T -----END CERTIFICATE-----
Chain of trust:
[root@cmxtry cmxadmin]# cat cmxtry_com.ca-bundle -----BEGIN CERTIFICATE----- MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0 Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6 ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51 UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz 30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/ e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc 2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4 HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII 0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf +AZxAeKCINT+b72x -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD VQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkq hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkehUktIKVrGsDSTdxc9EZ3SZKzejfSNw AHG8U9/E+ioSj0t/EFa9n3Byt2F/yUsPF6c947AEYe7/EZfH9IY+Cvo+XPmT5jR6 2RRr55yzhaCCenavcZDX7P0N+pxs+t+wgvQUfvm+xKYvT3+Zf7X8Z0NyvQwA1onr ayzT7Y+YHBSrfuXjbvzYqOSSJNpDa2K4Vf3qwbxstovzDo2a5JtsaZn4eEgwRdWt 4Q08RWD8MpZRJ7xnw8outmvqRsfHIKCxH2XeSAi6pE6p8oNGN4Tr6MyBSENnTnIq m1y9TBsoilwie7SrmNnu4FGDwwlGTm0+mfqVF9p8M1dBPI1R7Qu2XK8sYxrfV8g/ vOldxJuvRZnio1oktLqpVj3Pb6r/SVi+8Kj/9Lit6Tf7urj0Czr56ENCHonYhMsT 8dm74YlguIwoVqwUHZwK53Hrzw7dPamWoUi9PPevtQ0iTMARgexWO/bTouJbt7IE IlKVgJNp6I5MZfGRAy1wdALqi2cVKWlSArvX31BqVUa/oKMoYX9w0MOiqiwhqkfO KJwGRXa/ghgntNWutMtQ5mv0TIZxMOmm3xaG4Nj/QN370EKIf6MzOi5cHkERgWPO GHFrK+ymircxXDpqR+DDeVnWIBqv8mqYqnK8V0rSS527EPywTEHl7R09XiidnMy/ s1Hap0flhFMCAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g JMtUGjAdBgNVHQ4EFgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQD AgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9 MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVy bmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6 Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAGS/g/FfmoXQ zbihKVcN6Fr30ek+8nYEbvFScLsePP9NDXRqzIGCJdPDoCpdTPW6i6FtxFQJdcfj Jw5dhHk3QBN39bSsHNA7qxcS1u80GH4r6XnTq1dFDK8o+tDb5VCViLvfhVdpfZLY Uspzgb8c8+a4bmYRBbMelC1/kZWSWfFMzqORcUx8Rww7Cxn2obFshj5cqsQugsv5 B5a6SE2Q8pTIqXOi6wZ7I53eovNNVZ96YUWYGGjHXkBrI/V5eu+MtWuLt29G9Hvx PUsE2JOAWVrgQSQdso8VYFhH2+9uRv0V9dlfmrPb2LjkQLPNlzmuhbsdjrzch5vR pu/xO28QOG8= -----END CERTIFICATE-----
Alternative way to take a look inside the certificate:
CHAIN OF TRUST:
[root@cmxtry cmxadmin]# openssl x509 -in cmxtry_com.ca-bundle -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 2b:2e:6e:ea:d9:75:36:6c:14:8a:6e:db:a3:7c:8c:07 Signature Algorithm: sha384WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority Validity Not Before: Feb 12 00:00:00 2014 GMT Not After : Feb 11 23:59:59 2029 GMT Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:8e:c2:02:19:e1:a0:59:a4:eb:38:35:8d:2c:fd: 01:d0:d3:49:c0:64:c7:0b:62:05:45:16:3a:a8:a0: c0:0c:02:7f:1d:cc:db:c4:a1:6d:77:03:a3:0f:86: f9:e3:06:9c:3e:0b:81:8a:9b:49:1b:ad:03:be:fa: 4b:db:8c:20:ed:d5:ce:5e:65:8e:3e:0d:af:4c:c2: b0:b7:45:5e:52:2f:34:de:48:24:64:b4:41:ae:00: 97:f7:be:67:de:9e:d0:7a:a7:53:80:3b:7c:ad:f5: 96:55:6f:97:47:0a:7c:85:8b:22:97:8d:b3:84:e0: 96:57:d0:70:18:60:96:8f:ee:2d:07:93:9d:a1:ba: ca:d1:cd:7b:e9:c4:2a:9a:28:21:91:4d:6f:92:4f: 25:a5:f2:7a:35:dd:26:dc:46:a5:d0:ac:59:35:8c: ff:4e:91:43:50:3f:59:93:1e:6c:51:21:ee:58:14: ab:fe:75:50:78:3e:4c:b0:1c:86:13:fa:6b:98:bc: e0:3b:94:1e:85:52:dc:03:93:24:18:6e:cb:27:51: 45:e6:70:de:25:43:a4:0d:e1:4a:a5:ed:b6:7e:c8: cd:6d:ee:2e:1d:27:73:5d:dc:45:30:80:aa:e3:b2: 41:0b:af:bd:44:87:da:b9:e5:1b:9d:7f:ae:e5:85: 82:a5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4 X509v3 Subject Key Identifier: 90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: X509v3 Any Policy Policy: 2.23.140.1.2.1 X509v3 CRL Distribution Points: Full Name: URI:http://crl.comodoca.com/COMODORSACertificationAuthority.crl Authority Information Access: CA Issuers - URI:http://crt.comodoca.com/COMODORSAAddTrustCA.crt OCSP - URI:http://ocsp.comodoca.com Signature Algorithm: sha384WithRSAEncryption 4e:2b:76:4f:92:1c:62:36:89:ba:77:c1:27:05:f4:1c:d6:44: 9d:a9:9a:3e:aa:d5:66:66:01:3e:ea:49:e6:a2:35:bc:fa:f6: dd:95:8e:99:35:98:0e:36:18:75:b1:dd:dd:50:72:7c:ae:dc: 77:88:ce:0f:f7:90:20:ca:a3:67:2e:1f:56:7f:7b:e1:44:ea: 42:95:c4:5d:0d:01:50:46:15:f2:81:89:59:6c:8a:dd:8c:f1: 12:a1:8d:3a:42:8a:98:f8:4b:34:7b:27:3b:08:b4:6f:24:3b: 72:9d:63:74:58:3c:1a:6c:3f:4f:c7:11:9a:c8:a8:f5:b5:37: ef:10:45:c6:6c:d9:e0:5e:95:26:b3:eb:ad:a3:b9:ee:7f:0c: 9a:66:35:73:32:60:4e:e5:dd:8a:61:2c:6e:52:11:77:68:96: d3:18:75:51:15:00:1b:74:88:dd:e1:c7:38:04:43:28:e9:16: fd:d9:05:d4:5d:47:27:60:d6:fb:38:3b:6c:72:a2:94:f8:42: 1a:df:ed:6f:06:8c:45:c2:06:00:aa:e4:e8:dc:d9:b5:e1:73: 78:ec:f6:23:dc:d1:dd:6c:8e:1a:8f:a5:ea:54:7c:96:b7:c3: fe:55:8e:8d:49:5e:fc:64:bb:cf:3e:bd:96:eb:69:cd:bf:e0: 48:f1:62:82:10:e5:0c:46:57:f2:33:da:d0:c8:63:ed:c6:1f: 94:05:96:4a:1a:91:d1:f7:eb:cf:8f:52:ae:0d:08:d9:3e:a8: a0:51:e9:c1:87:74:d5:c9:f7:74:ab:2e:53:fb:bb:7a:fb:97: e2:f8:1f:26:8f:b3:d2:a0:e0:37:5b:28:3b:31:e5:0e:57:2d: 5a:b8:ad:79:ac:5e:20:66:1a:a5:b9:a6:b5:39:c1:f5:98:43: ff:ee:f9:a7:a7:fd:ee:ca:24:3d:80:16:c4:17:8f:8a:c1:60: a1:0c:ae:5b:43:47:91:4b:d5:9a:17:5f:f9:d4:87:c1:c2:8c: b7:e7:e2:0f:30:19:37:86:ac:e0:dc:42:03:e6:94:a8:9d:ae: fd:0f:24:51:94:ce:92:08:d1:fc:50:f0:03:40:7b:88:59:ed: 0e:dd:ac:d2:77:82:34:dc:06:95:02:d8:90:f9:2d:ea:37:d5: 1a:60:d0:67:20:d7:d8:42:0b:45:af:82:68:de:dd:66:24:37: 90:29:94:19:46:19:25:b8:80:d7:cb:d4:86:28:6a:44:70:26: 23:62:a9:9f:86:6f:bf:ba:90:70:d2:56:77:85:78:ef:ea:25: a9:17:ce:50:72:8c:00:3a:aa:e3:db:63:34:9f:f8:06:71:01: e2:82:20:d4:fe:6f:bd:b1 [root@cmxtry cmxadmin]#
PUBLIC CERTIFICATE:
[root@cmxtry cmxadmin]# openssl x509 -in cmxtry_com.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: b2:9b:75:e9:4e:7b:43:bb:b1:26:0c:04:50:61:14:fc Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA Validity Not Before: Aug 8 00:00:00 2018 GMT Not After : Nov 6 23:59:59 2018 GMT Subject: OU=Domain Control Validated, OU=Free SSL, CN=cmxtry.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a1:54:50:f5:c0:46:04:d6:dc:20:88:95:a2:f0: d7:53:0d:13:45:78:eb:0a:99:6b:a3:d6:f1:db:69: 06:02:72:4f:35:e9:f2:98:44:d3:74:9e:26:fb:b4: 6c:d7:d0:48:a1:bd:3d:5a:aa:38:08:a5:82:c6:07: 55:88:95:90:0e:88:5f:19:b1:25:bd:d1:0b:70:e0: fb:f8:78:19:ae:86:07:a1:8d:b8:c3:35:3e:ab:65: 82:15:6f:73:dc:37:1a:45:93:09:6a:08:ec:5c:f6: 79:5e:10:02:be:52:9b:fa:53:68:61:38:13:91:fd: 31:54:09:cd:a6:14:c6:82:d3:86:35:a4:3f:3c:7a: 97:f4:84:c2:e2:2c:13:98:55:83:50:46:51:fd:22: 30:6f:93:23:21:06:6c:30:68:b9:71:6e:ea:e1:24: ca:af:27:45:54:35:e6:27:33:72:48:ad:a1:ab:db: 3d:c9:cf:1c:04:dd:8b:a7:61:c9:b1:a0:38:aa:d4: 1b:d4:a5:8e:2e:7c:d5:c5:46:80:31:53:7e:b0:e6: d5:bd:85:7f:b0:e9:89:2e:d1:6f:28:a5:3d:3e:0d: 9c:b9:2a:36:2e:13:c1:56:d4:e9:75:b1:e4:48:3b: b3:36:55:87:85:80:bd:53:1b:b6:fb:0c:2f:4f:01: a3:41 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 X509v3 Subject Key Identifier: FB:F0:37:89:52:B3:8A:0A:77:90:1A:1B:E8:FA:C6:10:C4:B5:F2:FB X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.2.7 CPS: https://secure.comodo.com/CPS Policy: 2.23.140.1.2.1 X509v3 CRL Distribution Points: Full Name: URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl Authority Information Access: CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt OCSP - URI:http://ocsp.comodoca.com X509v3 Subject Alternative Name: DNS:cmxtry.com, DNS:www.cmxtry.com CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1(0) Log ID : EE:4B:BD:B7:75:CE:60:BA:E1:42:69:1F:AB:E1:9E:66: A3:0F:7E:5F:B0:72:D8:83:00:C4:7B:89:7A:A8:FD:CB Timestamp : Aug 8 12:34:59.717 2018 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:75:4D:27:A1:CB:4F:3F:B7:3B:75:1D:CC: 48:CA:B6:35:00:C0:D6:B8:0F:D6:14:86:B4:1E:2A:91: E7:2D:0E:9E:02:20:11:C1:75:2F:5C:BA:EE:8F:C2:36: FD:38:01:ED:28:80:E1:04:61:66:E7:56:ED:03:63:5F: 97:30:CB:2A:6A:55 Signed Certificate Timestamp: Version : v1(0) Log ID : DB:74:AF:EE:CB:29:EC:B1:FE:CA:3E:71:6D:2C:E5:B9: AA:BB:36:F7:84:71:83:C7:5D:9D:4F:37:B6:1F:BF:64 Timestamp : Aug 8 12:34:59.571 2018 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:43:52:32:8D:BC:83:62:C0:7D:61:80:0F: B8:3A:2A:63:86:FE:E8:1B:12:C4:B0:38:B3:F9:EE:E3: FE:86:B7:A9:02:21:00:AA:13:5C:2E:35:7D:B7:00:65: 21:F7:CD:61:3F:2C:16:2D:85:49:00:E2:A6:8F:DD:0D: 9E:9F:B4:1A:9C:4B:FB Signature Algorithm: sha256WithRSAEncryption 30:a1:97:ce:74:4d:50:bb:32:6a:b2:c9:c0:5b:1a:08:da:e4: dc:f5:1d:79:72:55:6a:dd:7e:ea:89:82:ef:dc:8b:62:8c:55: 0b:b2:db:8a:41:77:fb:56:a6:2a:28:77:23:5f:c5:1e:e5:33: 1f:70:96:0d:95:17:39:2a:78:f7:af:a7:ee:b0:bb:9a:3b:7d: d6:fb:e8:37:4c:39:d0:b8:df:c2:4f:96:38:9e:b8:28:af:b5: 2c:aa:e6:47:1a:86:3a:44:78:76:64:30:39:dc:4a:7c:d1:8b: 6c:3b:7e:9e:2c:df:2a:90:30:7f:3a:fc:6a:26:66:23:f5:44: 53:2d:f5:91:a9:f8:61:b0:61:35:a1:d2:23:5b:89:5b:4a:46: be:09:1d:3d:0e:50:64:87:33:93:a8:30:a7:59:c2:a2:72:7f: e4:49:f2:5e:c4:a5:6c:d0:b4:6b:35:77:ef:50:47:5b:3e:88: 65:a6:53:de:8b:22:8c:5d:4b:55:d9:0e:bb:53:08:98:a4:2f: 49:ce:41:bc:6b:4f:6a:e4:97:54:2f:82:de:ff:19:f4:82:fc: f8:8e:af:b6:ae:d1:e7:35:cb:60:e9:28:43:95:aa:94:ef:00: 39:1d:16:a0:db:32:6c:20:af:dd:d8:08:32:9a:4f:2e:dc:0c: a9:cd:6e:13 [root@cmxtry cmxadmin]#
Install the certificates on CMX
CMX requires the certificate in the following format:
+++PRIVATE KEY+++
+++PUBLIC CERTIFICATE+++
+++CHAIN OF TRUST CERTIFICATE+++
The Private Key - your_domain_name.key
The Primary Certificate - your_domain_name.crt
The Intermediate Certificate - issuer-certificate.crt
The Root Certificate - TrustedRoot.crt
Basically we have the following situation:
cmxtry.com.key contains the Private Key cmxtry_com.crt contains the Primary Certificate cmxtry_com.ca-bundle - the Intermediate Certificate and the Root Certificate
All of those have to be concatenated together to form .PEM certificate:
[root@cmxtry cmxadmin]# cat cmxtry.com.key cmxtry_com.crt cmxtry_com.ca-bundle > cmxtry_com.pem
Next step will be changing the ownership of the certificate:
[root@cmxtry cmxadmin]#chown cmx:cmx /opt/haproxy/ssl/cmxtry_com.pem [root@cmxtry cmxadmin]#chmod 744 /opt/haproxy/ssl/cmxtry_com.pem
When this is done, you can rename the certificate to host.pem (considering the backup of the certificate was done beforehand):
[root@cmxtry cmxadmin]#mv ./cmxtry_com.pem ./host.pem
Now enabling the sslmode:
[root@cmxtry ssl]# cmxctl node sslmode enable Enabling SSL SSL enabled Restarting Haproxy Verified SSL by restarting Haproxy. [root@cmxtry ssl]#
Troubleshoot
If you do not see the COMODO (other vendor) certificate in the CMX GUI after enabling the SSL using the above command, try rebooting the CMX device.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)