Installing SSL Certificates

This topic assumes you have a signed root certificate or certificate bundle (root certificate with chained or intermediary certificates) from an authorized Certificate Authority to configure on your Aspera transfer server. If you need to request a certificate from a Certificate Authority (CA), see the article How to Generate a Certificate Signing Request (CSR) in the Aspera Support Knowledgebase.

Procedure Overview

This procedure describes how to install SSL certificates for an Aspera transfer server. The procedure uses three files:

aspera_server_key.pem
  • Created automatically during transfer server installation.
  • Resides in the default Aspera installation directory: /opt/aspera/etc
  • Contains the default private key.
  • In this procedure, you replace the default private key with the new private key generated with the certificate signing request (CSR).
aspera_server_cert.pem
  • Created automatically during transfer server installation.
  • Resides in the default Aspera installation directory: /opt/aspera/etc
  • Contains the default self-signed certificate.
  • In this procedure, you replace the default self-signed certificate with the content described in step 3 below.
aspera_server_cert.chain
  • You create this file, as described below.
  • You place the file in the same directory as aspera_server_key.pem and aspera_server_cert.pem.
  • You place the certificate bundle (chained or intermediary certificates) from the CA in this file.

The default filenames and locations can be changed by configuring settings in the transfer server's aspera.conf file:

/opt/aspera/etc/aspera.conf

See below for the relevant sections in aspera.conf:

<http_server>
    ...
    <key_file>path/keyfile.pem</key_file>     <!-- key file for asperahttpd -->
    <cert_file>path/certfile.pem</cert_file>  <!-- cert file for asperahttpd -->
    ...
</http_server>

<server>
    ...
    <cert_file>path/certfile.pem</cert_file>  <!-- cert file for asperanoded -->
    ...
</server>

The chain file for asperanoded must match the location and name of the asperanoded certfile, but with the .chain extension.

Install Certificates

  1. Back up the default private key and self-signed certificate, using the following commands:
    # cd /opt/aspera/etc
    # cp aspera_server_key.pem aspera_server_key.pem.bak
    # cp aspera_server_cert.pem aspera_server_cert.pem.bak
  2. In aspera_server_key.pem, replace the existing content with the new private key generated with the certificate signing request (CSR).
  3. In aspera_server_cert.pem, replace the existing content with the following, in the order shown:
    1. the new private key
    2. the server certificate
    3. any chained or intermediary certificates from the CA in order of ascending authority, for example:

      intermediary certificate 1
      intermediary certificate 2
      intermediary certificate 3

    4. the root certificate from the CA
  4. Create a new file named aspera_server_cert.chain. This file must reside in the same directory as the .pem files.

    If you have a certificates bundle from the CA, the contents of aspera_server_cert.chain must consist of the following, in the order shown:

    1. the server certificate
    2. the certificates bundle, which includes the root certificate

    If you do not have a certificates bundle from the CA, the contents of aspera_server_cert.chain must consist of the following, in the order shown:

    1. the server certificate
    2. any chained or intermediary certificates from the CA in order of ascending authority, for example:

      intermediary certificate 1
      intermediary certificate 2
      intermediary certificate 3

    3. the root certificate from the CA

Restart Services

Restart the services asperacentral, asperahttpd, and asperanoded using the following commands:

# service asperacentral restart
# service asperahttpd restart
# service asperanoded restart

Verify Proper Installation

To verify the root certificate and the certificate chain, run the command-line tool openssl to connect to the asperanoded service. For example, assuming you are using the default node port (HTTPS 9092):

# /opt/aspera/bin/openssl s_client -connect myserver:9092

The output returned from this command will show a return value of 0 for success or 1 for failure.

Success: The following sample output shows that verification was successful because verify return is 0.

depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - 
For authorized use only", CN = VeriSign Class 3Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0

Failure: The following sample ouput shows that verification failed because verify return is 1.

depth=0 C = US, ST = California, L = Emeryville, O = IBM, OU = Aspera Inc IT Department, CN = *.asperafiles.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Emeryville, O = IBM, OU = Aspera Inc IT Department, CN = *.asperafiles.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = California, L = Emeryville, O = IBM, OU = Aspera Inc IT Department, CN = *.asperafiles.com
verify error:num=21:unable to verify the first certificate
verify return:1
Note: You must see as many elements in the output as there are certificates in the chain. In the example below, there is one root certificate and two chained certificates, and therefore the output must show three elements to prove the installation was successful.

Success: The following example shows a successful verification for one root certificate and two intermediary certificates in the chain:

Certificate chain
 0 s:/C=US/ST=California/L=Emeryville/O=IBM/OU=Aspera Inc IT Department/CN=*.asperafiles.com
 i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

Failure: The following example shows an unsuccessful verification, since only the root certificate is displayed.

Certificate chain
 0 s:/C=US/ST=California/L=Emeryville/O=IBM/OU=Aspera Inc IT Department/CN=*.asperafiles.com
 i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4

If verification is unsuccessful, run the following command to inspect your certificate content:

# /opt/aspera/bin/openssl x509 -in certificate.crt -text -noout