Perfsonar 5.1.0 - instructions on updating a self signed Certificate to an external certificate

smallboy69 commented 3 months ago

hi Perfsonar Team

hope this email finds you well

appreciated if anyone has updated the certificate for perfsonar 5.1.0 if there is any documentation that has been validated to work...

as i need to update the certificate for my reloaded perfsonar 5.1

ichantio commented 2 months ago

Hi @smallboy69,

I'm not part of the perfsonar team but I can provide some info here. If you have a cert provider, just simply generate a CSR. I use the config file method.

Generate the CSR and Key

Create a perfsonar.cnf file with the following content:

NOTE: Replace the info below to match what you have

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = COUNTRY CODE (US, UK, etc)
ST = STATE
L = LOCAL (CITY)
O = COMPANYNAME
OU = ORGUNITNAME
CN = servername

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = servername.yourdomainhere.com
DNS.2 = serveraltname1.yourdomainhere.com
DNS.3 = serveraltname2.yourdomainhere.com

Once you have the config file, run the command below (again change the name out): openssl req -new -newkey rsa:4096 -nodes -out "perfsonar.csr" -keyout "perfsonar.key" -config "perfsonar.cnf"

You then will have the following file in your folder:

perfsonar.csr - copy the content of this and paste into your cert provider, they will provide you a cert to download. Download the one for apache if you have that option or pem format. Ubuntu: Copy this to folder /etc/ssl/certs/ permission 644 and own by root:root Rocky: Copy this to folder /etc/pki/tls/certs permission 644 and own by root:root
perfsonar.key - will need this for perfsonar. Ubuntu: Copy this to folder /etc/ssl/private, the permission for the key should be 640 and own by root:ssl-cert Rocky: Copy this to folder /etc/pki/tls/private/, the permission for the key should be 600 and own by root:root

Setup apache

In Ubuntu edit /etc/apache2/sites-enabled/default-ssl.conf Comment out the following and add your own

#SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

In Rocky edit /etc/httpd/conf.d/ssl.conf Comment out the following and add your own

#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Restart Apache and check

Ubuntu: systemctl restart apache2 Rocky: systemctl restart httpd Open your perfsonar installation and check.

Other distro would be either similar to Ubuntu (Debian) or Rocky (Alma / RHEL)

Hope this helps!

smallboy69 commented 2 months ago

Thanks for your assistance @ichantio

appreciate your advise and insight

Regards

perfsonar / pscheduler