OmicSoft Server v12 - Certificates Setup

From Array Suite Wiki

Obtaining the server certificate

Overview

Starting with OmicSoft Suite v12.0, for each OmicSoft Server instance, a TLS certificate must be acquired and properly configured, in order to secure the communication between OmicSoft Studio, Oshell, or Land Explorer clients and the OmicSoft Server instance. Your company IT team will be familiar with the requirements and steps. The certificate should be in .pfx (PKCS #12) format, containing the entire certificate chain, including the private key for the server cert (other possible extensions: .pkcs12 or .p12)

Prerequisites

  • OpenSSL
  • the DNS name of the server, for example your.servername.com

Requesting a server certificate

Here is an example of creating a Certificate Signing Request (CSR) for your.servername.com

  • Create a private key
$ openssl genrsa -out cert.key 4096
  • Create a CSR (you’ll have to answer a few questions)
$ openssl req -new -out cert.csr -key cert.key
  • Verify that the CSR is correct
$ openssl req -text -noout -in cert.csr | less
  • Send the file cert.csr to your Certificate Authority in order to receive the server certificate

According to the rules in your organization, you may have different steps to request a server certificate.

Possible scenarios after receiving the server certificate

You do not have the certificate in PFX format

Most of the times the certificate is delivered by the signing authority in another format (like .PEM or .CRT), and the private key and the intermediate CA certs are in separate files. Make sure you have those too, in addition to the server cert file. Convert these other formats to .PFX file with a command like this:

$ openssl pkcs12 -export -out testserver.pfx -inkey privatekey.pem -in servercert.pem -certfile ca_chain.pem -password pass:....

where:

  • privatekey.pem the private key in PEM format (Base64 encoded DER certificate)
  • servercert.pem - the signed server certificate in PEM format
  • ca_chain.pem - the additional intermediate CA certs chain in PEM format

You have the certificate in PFX format

To verify if the .pfx contains the private key, you can use the following command:

$ openssl pkcs12 -info -nocerts -in testserver.pfx
...
Shrouded Keybag: ...
Bag Attributes
localKeyID: ...
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
....

where testserver.pfx should be replaced with the actual PFX file name.

Obtaining the intermediate CA certificates

Overview

By default the Mono certificate stores is empty, so we have to import the required CA and server certificates, including the intermediate CA certificates

Possible scenarios after receiving the server certificate

You have the certificate in CRT/PEM/CER format

You have received the intermediate CA certificates from the signing authority

In this scenario you already have the intermediate CA certificates in separate files, so you can import them in the Mono store. Usually the certificate authority who signed the server certificate should be able to provide the intermediate certificates on request.

You haven't received the intermediate CA certificates from the signing authority

In this scenario use these steps:

  • Get detailed information about the certificate, on Linux, using OpenSSL (example):
$ openssl x509 -noout -text -in testserver.crt
  • In the output, search for information on the issuer CA, like (example):
Authority Information Access:
CA Issuers - URI:http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt
  • download the CA chain from there
  • Otherwise, look for the issuer information:
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Organization Validation Secure Server CA

You have the certificate in PFX format

In this scenario you can export the Intermediate CA certs from the PFX file using these steps:

  • On a Windows device, import the PFX file (double-click and select the default store - that will usually be the 'Current User'/'Personal' store); the private key password will be needed
  • Open 'Manage User Certificates' from Start menu, search for the newly imported certificate in Certificates - Current User / Personal store. Double click the certificate, select an intermediate CA and export it from the Details tab / Copy to file. Select 'Base-64 encoded X.509 (.CER)' format.
  • Copy the .cer files on the Linux server.