OmicSoft Server v12 - Certificates Setup

From Array Suite Wiki

This page has been migrated, find the latest information here

Obtaining the server certificate

Overview

Starting with OmicSoft Suite v12.0, for each OmicSoft Server instance, a TLS certificate must be acquired and properly configured, in order to secure the communication between OmicSoft Studio, Oshell, or Land Explorer clients and the OmicSoft Server instance. Your company's IT team should be familiar with the requirements and steps. The certificate should be in .pfx (PKCS #12) format, containing the entire certificate chain, including the private key for the server cert (other possible extensions: .pkcs12 or .p12)

Prerequisites

  • OpenSSL
  • the DNS name of the server, for example your.servername.com

Requesting a server certificate

Here is an example of creating a Certificate Signing Request (CSR) for your.servername.com . The actual process to obtain a signed certificate can be different, depending on your company policies.

  • Create a private key
$ openssl genrsa -out cert.key 4096

make sure that the private key format is RSA. ECDSA is not yet supported. Ex.: if using certbot to generate the certificate request, use: 

sudo certbot certonly –standalone --key-type rsa
  • Create a CSR (you’ll have to answer a few questions)
$ openssl req -new -out cert.csr -key cert.key
  • Verify that the CSR is correct
$ openssl req -text -noout -in cert.csr | less
  • Send the file cert.csr to your Certificate Authority in order to receive the server certificate

According to the rules in your organization, you may have different steps to request a server certificate.

On Windows, if using the MMC / Manage Computer Certificates add-in to generate a custom certificate request (CRS), the ‘classic’ cryptographic service provider like ‘Microsoft Enhanced Cryptographic Provider v1.0’ (CryptoAPI provider) must be used instead of a newer Cryptography Next Generation (CNG / CAPI2) provider, like ‘Microsoft Software Key Storage Provider’. In MMC / Manage Computer Certificate add-in, when generating the custom certificate request (CRS), the Template should be: '(No template) Legacy key' (instead of '(No template) CNG Key'):

CSR Template

At 'Certificate information' step, expand Details / Properties, in the 'Private key' tab, select Microsoft Enhanced Cryptographic Provider v1.0 as CSP:

CSP

To verify the certificate request, you can run the following command: 

> certutil -dump server_example.csr
PKCS10 Certificate Request:
Version: 1
Subject:
{ CN=...}
... ...
...
{ Attribute[2]: 1.3.6.1.4.1.311.13.2.2 (Enrollment CSP)}
{ Value[2][0], Length = 66}
{ CSP Provider Info}
{ KeySpec = 2}
{ Provider = Microsoft Enhanced Cryptographic Provider v1.0}
...
...

Possible scenarios after receiving the server certificate

You do not have the certificate in PFX format

Most of the times the certificate is delivered by the signing authority in another format (like .PEM or .CRT), and the private key and the intermediate CA certs are in separate files. Make sure you have those too, in addition to the server cert file. Convert these other formats to .PFX file with a command like this: 

$ openssl pkcs12 -export -out testserver.pfx -inkey privatekey.pem -in servercert.pem -certfile ca_chain.pem -password pass:....

where:

  • privatekey.pem the private key in PEM format (Base64 encoded DER certificate)
  • servercert.pem - the signed server certificate in PEM format
  • ca_chain.pem - the additional intermediate CA certs chain in PEM format

You have the certificate in PFX format

To verify if the .pfx contains the private key, you can use the following command: 

$ openssl pkcs12 -info -nocerts -in testserver.pfx
...
Shrouded Keybag: ...
Bag Attributes
localKeyID: ...
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
....

where testserver.pfx should be replaced with the actual PFX file name.

Obtaining the intermediate CA certificates

Overview

By default the Mono certificate stores is empty, so we have to import the required CA and server certificates, including the intermediate CA certificates

Possible scenarios after receiving the server certificate

You have the certificate in CRT/PEM/CER format

You have received the intermediate CA certificates from the signing authority

In this scenario you already have the intermediate CA certificates in separate files, so you can import them in the Mono store. Usually the certificate authority who signed the server certificate should be able to provide the intermediate certificates on request.

You haven't received the intermediate CA certificates from the signing authority

In this scenario use these steps:

  • Get detailed information about the certificate, on Linux, using OpenSSL (example):
$ openssl x509 -noout -text -in testserver.crt
  • In the output, search for information on the issuer CA, like (example):
Authority Information Access:
CA Issuers - URI:http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt
  • download the CA chain from there
  • Otherwise, look for the issuer information:
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA

You have the certificate in PFX format

In this scenario you can export the Intermediate CA certs from the PFX file using these steps:

  • On a Windows device, import the PFX file (double-click and select the default store - that will usually be the 'Current User'/'Personal' store); the private key password will be needed
  • Open 'Manage User Certificates' from Start menu, search for the newly imported certificate in Certificates - Current User / Personal store. Double click the certificate, select an intermediate CA and export it from the Details tab / Copy to file. Select 'Base-64 encoded X.509 (.CER)' format.
  • Copy the .cer files on the Linux server.
Retrieved from "https://wiki.arrayserver.com/wiki/index.php?title=OmicSoft_Server_v12_-_Certificates_Setup&oldid=31625"