Setting up SSL for Aspera Faspex Nodes

Setting up SSL for your remote transfer server.

By default, your transfer server address is 127.0.0.1 because Aspera^® Faspex™ assumes that it is installed on the same machine as your Aspera transfer server (i.e. Aspera Enterprise Server™ or Aspera Connect Server™ v3.0+). If you are running your transfer server on a different/remote machine (using the Aspera Node API), you can encrypt the connection between the Aspera Faspex Web server and the node using SSL. The transfer node is configured to use the Aspera preinstalled, selfsigned certificate (aspera_server_cert.pem), which is located in the following directory:

/opt/aspera/etc/

Perform the steps below to set up your Aspera Faspex and remote transfer server nodes for HTTPS communication.

ABOUT PEM FILES: The PEM certificate format is commonly issued by Certificate Authorities. PEM certificates have extensions that include .pem, .crt, .cer, and .key, and are Base-64 encoded ASCII files containing "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.

Important:

Before proceeding, launch the Aspera Faspex Web GUI and go to Server > Configuration > Transfer Server. Here, confirm that Use SSL is enabled (which should be, by default). If you are using a valid, signed certificate, then enable Verify SSL Certificate as well. You do not need to enable Verify SSL Certificate if you are testing a self-signed certificate.

Test your connection to the transfer node using the Aspera Faspex sample cert.pem file.
On your Aspera Faspex machine, go to the following directory to copy the Aspera cert.pem.sample file:
```
/opt/aspera/faspex/config/
```
Place a copy of the sample file in the /ssl directory (shown below) and remove the .sample suffix.
```
/opt/aspera/faspex/config/ssl/
```
Important:
Your cert.pem file should contain the list of CA Root Certificates in PEM format. Please refer to the sample cementer file as a reference.

To verify this setup, create a Aspera Faspex package and confirm that your remote transfer server is able to send the package to another user.
```
Continue to the next step if you would like to create your own SSL Certificate (to either self-sign, or send to a signing authority).
```
Enter the OpenSSL command to generate your Private Key and Certificate Signing Request
In this step, you will generate an RSA Private Key and CSR using OpenSSL. In a Terminal window, enter the following command (where my_key_name.key is the name of the unique key that you are creating and my_csr_name.csr is the name of your CSR):
```
$ openssl req -new -nodes -keyout my_key_name.key -out my_csr_name.csr
```
Enter your X.509 certificate attributes
After entering the command in the previous step, you will be prompted to input several pieces of information, which are the certificate's X.509 attributes.

Important:
The common name field must be filled in with the fully qualified domain name of the server to be protected by SSL. If you are generating a certificate for an organization outside of the US, please refer to the link http://www.iso.org/iso/english_country_names_and_code_elements for a list of 2-letter, ISO country codes.
```
Generating a 1024 bit RSA private key
....................++++++
................++++++
writing new private key to 'my_key_name.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:Your_2_letter_ISO_country_code
State or Province Name (full name) [Some-State]:Your_State_Province_or_County
Locality Name (eg, city) []:Your_City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your_Company
Organizational Unit Name (eg, section) []:Your_Department
Common Name (i.e., your server's hostname) []:secure.yourwebsite.com
Email Address []:johndoe@yourwebsite.com
```
You will also be prompted to input "extra" attributes, including an optional challenge password. Please note that manually entering a challenge password when starting the server can be problematic in some situations (e.g., when starting the server from the system boot scripts). You can skip inputting a challenge password by hitting the "enter" button.
```
...
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
```
After finalizing the attributes, the private key and CSR will be saved to your root directory.

Important:
If you make a mistake when running the OpenSSL command, you may discard the generated files and run the command again. After successfully generating your key and Certificate Signing Request, be sure to guard your private key, as it cannot be re-generated.
Send CSR to your signing authority

You now need to send your unsigned CSR to a Certifying Authority (CA). Once completed, you will have valid, signed certificate.

Important:
Some Certificate Authorities provide a Certificate Signing Request generation tool on their Website. Please check with your CA for additional information.
(Optional) Generate a Self-Signed Certificate.
At this point, you may need to generate a self-signed certificate because:
- You don't plan on having your certificate signed by a CA
- Or you wish to test your new SSL implementation while the CA is signing your certificate
You may also generate a self-signed certificate through OpenSSL. To generate a temporary certificate (which is good for 365 days), issue the following command:
```
openssl x509 -req -days 365 -in my_csr_name.csr -signkey my_key_name.key -out my_cert_name.crt
```
Create the PEM file.
After generating a new certificate, you must create a cert.pem file that contains both the private key and the certificate. To do so, copy and paste the entire body of the key and cert files into a single text file and save the file as cert.pem. Lastly, place a copy of the cert.pem file in the Aspera Faspex config/ssl directory (shown below).
```
/opt/aspera/faspex/config/ssl/
```
Important:
Your cert.pem file should contain the list of CA Root Certificates in PEM format. Please refer to the sample cert.pem (described in Step 1, above) as a reference.

To verify this setup, create a Aspera Faspex package and confirm that your remote transfer server is able to send the package to another user.