Apply SSL Certificate to PerfSONAR and MaDDash Webservers

Introduction: This document provides instructions on setting up SSL for use with perfSONAR web tools. These steps are the same for both the perfSONAR Toolkit and MaDDash web tools. 

1. Install OpenSSL and make sure you can run the openssl command.
   
   

2. Run the following command to generate an unencrypted key for the server.
   

   openssl genrsa -out server.key 2048

3. Run the following command to create a certificate sign request.
   

   openssl req -new -key server.key -out server.csr

   1. You will be asked for multiple different kinds of information, like Country, State/Province, etc. Make sure that when you are prompted for "Common Name" to use the domain "Fully Qualified Domain Name" of the server.
   2. For a standard perfSONAR node, the Fully Qualified Domain Name is usually just the hostname of the server.
4. Send the CSR file to a Certifying Authority (CA) or to a member of your organization's IT department that can do this. You will then be given a certificate file (e.x. server.crt or server.cer ) and a certificate chain file (e.x. server.ca-bundle or server_interm.cer ).
   
5. Run the following commands to place the server.key and the server.crt files into a secure location with proper permissions.

   1. You can use another directory besides /etc/ssl/private and /etc/ssl/certs/, but make sure they have the same ownership and access permissions to prevent unauthorized access. This is especially true for the private key.
      

      mkdir /etc/ssl/private chown root:root /etc/ssl/private chown root:root server.crt chown root:root server.ca-bundle chmod 644 server.crt chmod 644 server.ca-bundle mv server.crt server.ca-bundle /etc/ssl/certs/ chown root:root server.key chmod 640 server.key mv *server.key* /etc/ssl/private

6. Open /etc/httpd/conf.d/ssl.conf . This is the configuration file the Apache web server uses for SSL settings. Note the VirtualHost section of the file.
   

   <VirtualHost _default_:443> # General setup for the virtual host, inherited from global configuration #DocumentRoot "/var/www/html" #ServerName www.example.com:443 ... SSLCertificateFile /etc/pki/tls/certs/localhost.crt ... SSLCertificateKeyFile /etc/pki/tls/private/localhost.key ... SSLCertificateChainFile /etc/pki/tls/certs/ca-bundle.crt ... </VirtualHost>

7. Change the file for SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to the server certificate, key, and certificate chain respectively you have from the prior steps.
   

   <VirtualHost _default_:443> # General setup for the virtual host, inherited from global configuration #DocumentRoot "/var/www/html" #ServerName www.example.com:443 ... SSLCertificateFile /path/to/server.crt ... SSLCertificateKeyFile /path/to/server.key ... SSLCertificateChainFile /path/to/server.ca-bundle ... </VirtualHost>

8. Restart the webserver with the following command.
   

   systemctl restart httpd