Setting UP SSL

The transfer node provides an HTTPS interface for encrypted communication between node machines. For example, if you are running the transfer web UI on machine A, you can encrypt the connection, using SSL, with your transfer server of file-storage node on machine B.

The transfer node is configured to use the Aspera preinstalled, self signed certificate, aspera_server_cert.pem, which is located in the following directory:

Windows 32-bit: C:\Program Files\Aspera\Enterprise Server\etc
Windows 64-bit: C:\Program Files (x86)\Aspera\Enterprise Server\etc

The PEM certificate format is commonly issued by Certificate Authorities. PEM certificates have extensions that include .pem, .crt, .cer, and .key, and are Base-64 encoded ASCII files containing "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements. Server certificates, intermediate certificates, and private keys can be in PEM format.

Navigate to Start menu > All Programs > Accessories > Command Prompt.
Create a working directory:
```
> cd c:\
> mkdir ssl
> cd c:\ssl
```

Copy openssl.cnf to your working directory

Enter the following commands in the command prompt window:

OS Version	Commands
32-bit Windows	> copy "c:\Program Files\Common Files\Aspera\common\apache\conf\openssl.cnf" "c:\ssl\" > cd c:\ssl
64-bit Windows	> copy "c:\Program Files (x86)\Common Files\Aspera\common\apache\conf\openssl.cnf" "c:\ssl\" > cd c:\ssl

OS Version

Commands

32-bit Windows

> copy "c:\Program Files\Common Files\Aspera\common\apache\conf\openssl.cnf" "c:\ssl\"
> cd c:\ssl

64-bit Windows

> copy "c:\Program Files (x86)\Common Files\Aspera\common\apache\conf\openssl.cnf" "c:\ssl\"
> cd c:\ssl

Generate an RSA Private Key and CSR using OpenSSL by entering the following command in a Command Prompt window, where my_key_name.key is the name of the unique key that you are creating and my_csr_name.csr is the name of the CSR:
```
> openssl req -config "c:\ssl\openssl.cnf" -new -nodes -keyout my_key_name.key -out my_csr_name.csr
```
Note that in the example above, the .key and .csr files will be written to the c:\ssl\ directory.

Enter your X.509 certificate attributes

Note: The common name field requires a fully qualified domain name of the server to be protected by SSL. If you are generating a certificate for an organization outside of the US, see http://www.iso.org/iso/english_country_names_and_code_elements for a list of 2-letter, ISO country codes.

Generating a 1024 bit RSA private key
....................++++++
................++++++
writing new private key to 'my_key_name.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:Your_2_letter_ISO_country_code
State or Province Name (full name) [Some-State]:Your_State_Province_or_County
Locality Name (eg, city) []:Your_City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your_Company
Organizational Unit Name (eg, section) []:Your_Department
Common Name (i.e., your server's hostname) []:secure.yourwebsite.com
Email Address []:johndoe@yourwebsite.com

Enter additional attributes, such as a challenge password. Press Enter to skip typing a challenge password.

Note: Manually entering a challenge password when starting the server can be problematic, for example, when starting the server from the system boot scripts.

...
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

The private key and CSR are saved to your root directory.

Note: If you make a mistake when running the OpenSSL command, you may discard the generated files and run the command again. After generating your key and CSR, guard your private key, as it cannot be re-generated.

Send the CSR to a Certifying Authority (CA).

Note: Some CAs provide a Certificate Signing Request generation tool on their Website. Check with your CA for additional information.
Optionally, you can generate a selfsigned certificate if:
- You do not have your certificate signed by a CA.
- You want to test your new SSL implementation while the CA is signing your certificate.
You can generate a temporary selfsigned certificate that is valied for 1 year through OpenSSL by running the following command:
```
openssl x509 -req -days 365 -in my_csr_name.csr -signkey my_key_name.key -out my_cert_name.crt
```
Create a PEM file that contains both the private key and the certificate by copying and pasting the key and cert files into a single text file. Save the file as cert.pem. Place a copy of the file into the following directory:
- Windows 32-bit: C:\Program Files\Aspera\Enterprise Server\etc
- Windows 64-bit: C:\Program Files (x86)\Aspera\Enterprise Server\etc

Restart the node service by running the following commands:

Windows 32-bit:

C:\Program Files\Aspera|Enterprise Server\bin> sc stop asperanoded
C:\Program Files\Aspera\Enterprise Server\bin> sc start asperanoded

Windows 64-bit:

C:\Program Files (x86)\Aspera|Enterprise Server\bin> sc stop asperanoded
C:\Program Files (x86)\Aspera\Enterprise Server\bin> sc start asperanoded

# /etc/init.d/asperanoded restart