# Working with central KU IT ## New certificate on ku.edu server Form to request new certificate: https://kuit.service-now.com/nav_to.do?uri=%2Fcom.glideapp.servicecatalog_cat_item_view.do%3Fv%3D1%26sysparm_id%3D78fee42fdb2a8850162673e1ba96195b%26sysparm_link_parent%3D322911f41bec6490cf2d337e034bcb23%26sysparm_catalog%3De0d08b13c3330100c8b837659bba8fb4%26sysparm_catalog_view%3Dcatalog_default%26sysparm_view%3Dcatalog_default generate CSR string: ```bash openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr ``` with configuration: ``` Country Name (2 letter code) [XX]:US State or Province Name (full name) []:Kansas Locality Name (eg, city) [Default City]:Lawrence Organization Name (eg, company) [Default Company Ltd]:University of Kansas Organizational Unit Name (eg, section) []:Specify Common Name (eg, your name or your server's hostname) []:biimages.biodiversity.ku.edu Email Address []:alec.white@ku.edu A challenge password []: An optional company name []: ``` Verify configuration with `openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr` with output ``` C = US, ST = Kansas, L = Lawrence, O = University of Kansas, OU = Specify, CN = biimages.biodiversity.ku.edu, emailAddress = alec.white@ku.edu ``` after receiving new certificate files ``` biimages_biodiversity_ku_edu.cer biimages_biodiversity_ku_edu_cert.cer biimages.biodiversity.ku.edu.conf biimages_biodiversity_ku_edu.crt biimages_biodiversity_ku_edu_interm.cer biimages_biodiversity_ku_edu.p7b biimages_biodiversity_ku_edu.pem ``` generate 'fullchain.pem' file with concatenation ```bash cat biimages_biodiversity_ku_edu.pem biimages_biodiversity_ku_edu_interm.cer > fullchain.pem ``` then run commands to copy files into proper locations (make sure the number is incremented ex. 40) ```bash sudo cp server.key /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/privkey40.pem sudo cp biimages_biodiversity_ku_edu.pem /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/cert40.pem; sudo cp biimages_biodiversity_ku_edu_interm.cer /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/chain40.pem; sudo cp fullchain.pem /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/fullchain40.pem; ``` then create symbolic links to where the nginx file looks for SSL files ```bash sudo ln -sf /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/fullchain40.pem /etc/letsencrypt/live/biimages.biodiversity.ku.edu/fullchain.pem; sudo ln -sf /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/privkey40.pem /etc/letsencrypt/live/biimages.biodiversity.ku.edu/privkey.pem; sudo ln -sf /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/chain40.pem /etc/letsencrypt/live/biimages.biodiversity.ku.edu/chain.pem; sudo ln -sf /etc/letsencrypt/archive/biimages.biodiversity.ku.edu/cert40.pem /etc/letsencrypt/live/biimages.biodiversity.ku.edu/cert.pem; ``` here are the line in the '/etc/nginx/conf.d/web-asset-server.conf' nginx file ``` server_name biimages.biodiversity.ku.edu; ssl_certificate /etc/letsencrypt/live/biimages.biodiversity.ku.edu/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/biimages.biodiversity.ku.edu/privkey.pem; ``` verify the key and cert are correct by making sure their hashes are the same ```bash sudo openssl x509 -noout -modulus -in /etc/letsencrypt/live/biimages.biodiversity.ku.edu/cert.pem | openssl md5 sudo openssl rsa -noout -modulus -in /etc/letsencrypt/live/biimages.biodiversity.ku.edu/privkey.pem | openssl md5 ``` restart nginx ```bash sudo systemctl restart web-asset-server.service sudo systemctl status web-asset-server.service ``` ## web-portal certificate here are the lines in the `/etc/nginx/conf.d/webportal-nginx.conf` nginx file ``` server_name collections.biodiversity.ku.edu; ssl_certificate /home/specify/keystore/collections_biodiversity_ku_edu_cert.cer; ssl_certificate_key /home/specify/keystore/collections_biodiversity_ku_edu.key; ``` ```bash cat collections_biodiversity_ku_edu.pem collections_biodiversity_ku_edu_interm.cer > fullchain.pem ``` ```bash sudo cp collections_biodiversity_ku_edu_cert.cer /home/specify/keystore/cert.pem sudo cp ~/webportal-keys/webportal_server.key /home/specify/keystore/privkey.pem sudo cp ~/webportal-keys/fullchain.pem /home/specify/keystore/fullchain.pem ``` ```bash sudo chown specify:bi-sp7access cert.pem; sudo chown specify:bi-sp7access privkey.pem; sudo chown specify:bi-sp7access fullchain.pem; ```