Installing a Signed SSL Certificate Provided by Authorities

In a default IBM Aspera Shares installation, Apache generates and uses a self-signed SSL certificate. You can find this certificate at the following location:
OS Version File
32-bit Windows
  • C:\Program Files\Common Files\Aspera\Common\apache\conf\server.crt
  • C:\Program Files\Common Files\Aspera\Common\apache\conf\server.key
64-bit Windows
  • C:\Program Files (x86)\Common Files\Aspera\Common\apache\conf\server.crt
  • C:\Program Files (x86)\Common Files\Aspera\Common\apache\conf\server.key
To set up a signed SSL certificate, follow these steps:
  1. Create a working directory

    Go to Start menu > All Programs > Accessories > Command Prompt and create a new working directory:

    > mkdir c:\ssl
    > cd c:\ssl
  2. Copy openssl.cnf to your working directory.

    Enter the following commands in your Command Prompt window:

    OS Version Commands
    32-bit Windows
    > copy "c:\Program Files\Common Files\Aspera\common\apache\conf\openssl.cnf" "c:\ssl\"
    > cd c:\ssl
    
    64-bit Windows
    > copy "c:\Program Files (x86)\Common Files\Aspera\common\apache\conf\openssl.cnf" "c:\ssl\"
    > cd c:\ssl
    
  3. Enter the OpenSSL command to generate your Private Key and Certificate Signing Request (CSR).

    Run the following command (where key_name.key is the name of the unique key that you are creating and csr_name.csr is the name of your CSR):

    > openssl req -config "c:\ssl\openssl.cnf" -new -nodes -newkey rsa:2048 -keyout key_name.key -out csr_name.csr
    Note: In the example above, the .key and .csr files will be written to the c:\ssl\ directory. Windows does not, by default, have a c:\ssl directory. If the directory does not exist on your machine, first create it with this command:
    > mkdir c:\ssl
    
    After entering the command, you are prompted to enter several pieces of information, which are the certificate's X.509 attributes.
    Important: The Common Name field must be filled in with the fully qualified domain name of the server to be protected by SSL. If you are generating a certificate for an organization outside of the US, see https://www.iso.org/obp/ui/#search/code/ for a list of 2-letter, ISO country codes.
    Generating a 1024 bit RSA private key
    ....................++++++
    ................++++++
    writing new private key to 'my_key_name.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [US]:Your_2_letter_ISO_country_code
    State or Province Name (full name) [Some-State]:Your_State_Province_or_County
    Locality Name (eg, city) []:Your_City
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your_Company
    Organizational Unit Name (eg, section) []:Your_Department
    Common Name (i.e., your server's hostname) []:secure.yourwebsite.com
    Email Address []:johndoe@yourwebsite.com
    
    Note: You are prompted to enter "extra" attributes, including an optional challenge password. Manually entering a challenge password when starting the server can be problematic in some situations (for example, when starting the server from the system boot scripts). You can skip entering values for any extra attribute by hitting the "enter" button.
    ...
    Enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    

    After finalizing the attributes, the private key and CSR will be saved to your root directory.

    Important: If you make a mistake when running the OpenSSL command, you may discard the generated files and run the command again. After successfully generating your key and Certificate Signing Request, be sure to guard your private key, as it cannot be re-generated.
  4. Send CSR to your signing authority.

    You now need to send your unsigned CSR to a Certifying Authority (CA). Once the CSR has been signed, you have a real Certificate. Follow the key provider's instructions to generate and submit both your private key and the Certificate Signing Request (CSR) to acquire the certificate. Here is a list of commonly used certificate authorities.

    Important: Some Certificate Authorities provide a Certificate Signing Request generation tool on their Website. Check with your CA for additional information.

    At this point, you may need to generate a self-signed certificate because:

    • You don't plan on having your certificate signed by a CA.
    • You wish to test your new SSL implementation while the CA is signing your certificate.
    For information on how to generate a self-signed certificate for temporary use, see Generating a New Self-Signed SSL Certificate.
  5. Copy key and certificate into target directory.

    After receiving your signed certificate from your CA, copy the files into Apache's /conf directory and edit your httpd-ssl.conf file. note that you can store the certificate and key in any directory, as long as the paths are updated in your configuration file.

  6. Store your certificates on your machine.
    For example:
    • C:\my_server.crt
    • C:\my_server.key

    Your certificate provider may require you to also install an Intermediate CA Certificate file. Copy the file to the following location:

    OS Version Path
    32-bit Windows C:\Program Files\Common Files\Aspera\Common\apache\conf\server-ca.crt
    64-bit Windows C:\Program Files (x86)\Common Files\Aspera\Common\apache\conf\server-ca.crt
  7. Install the SSL certificate with the following command:
    > asctl apache:install_ssl_cert cert_file key_file [chain_file]
    For example:
    > asctl apache:install_ssl_cert C:\my_server.crt C:\my_server.key C:\Program Files\Common Files\Aspera\Common\apache\conf\server-ca.crt
    You can find the installed certificate at the following location:
    OS Version File
    32-bit Windows
    • C:\Program Files\Common Files\Aspera\Common\apache\conf\server.crt
    • C:\Program Files\Common Files\Aspera\Common\apache\conf\server.key
    64-bit Windows
    • C:\Program Files (x86)\Common Files\Aspera\Common\apache\conf\server.crt
    • C:\Program Files (x86)\Common Files\Aspera\Common\apache\conf\server.key