Set up Web SSL Certificate for Metric Insights

This applies to a Metric Insights instance hosted on VMware (CentOS linux) where the web SSL certificate has not been signed by certificate authority (CA). For Metric Insights instance hosted on Amazon EC2 (debian linux) see this article.

This article discusses how to set up web SSL certificate for Metric Insights.

1. Web SSL Certificate warning

When running Metric Insights in VMware you will typically see this upon reaching the site for the first time. Depending on the browser you can just accept this SSL certificate warning and continue using Metric Insights. However, if you need to have a valid SSL certificate then this article walks you through the steps.

2. Create private key and CSR for the Metric Insights server

A private key and certificate signing request are necessary in order to generate an SSL certificate. You can create a private key / CSR pair with the following command on any linux machine:

(Hint: if you run this command directly on the MI server, you won't need to copy your private key file to the machine later)

openssl req -out your-machine.csr -new -newkey rsa:2048 -nodes -keyout your-machine.key

If you already have a private key that you'd like to use, please run the following command instead:

openssl req -out your-machine.csr -new -key your-machine.key

This command will ask you a bunch of questions about the machine. Most of the questions are self explanatory, however, please pay attention to the following points:

** 'Common Name'. The common name _must_ be the fully qualified domain name for your server (the same that people will be putting in the address bar of their browser to access Metric Insights.)

** 'Challenge Password' - leave the challenge password blank, otherwise someone will need to enter a password whenever they start up Apache. Not good for automation.

Once you have answered all the prompts, your private key (your-machine.key) and CSR (your-machine.csr) files will have been created in the directory you ran the command in.

 

3. Request certificate from signing certificate authority

Provide the CSR file to your certificate authority. Many large companies will have their own internal signing authority while others will use one of the many commercial public trusted CAs on the market. Ask the IT or System Administrator in your organization if you are unsure.

Once the signing authority has approved / verified your request, they will issue you your SSL certificate. This can usually be downloaded in multiple file formats. Please get the certificate in Base64 encoded form (sometimes this is called the PEM format). It should look something like this:

-----BEGIN CERTIFICATE-----
MIIEvzCCA6egAwIBAgIDAxmRMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy
NTYgQ0EgLSBHMzAeFw0xNTAzMTgwMDM2NDNaFw0xODAzMjAwMDI2NDJaMIGYMRMw
EQYDVQQLEwpHVDk4MTA5Nzg1MTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNv
bS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBW
YWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEdMBsGA1UEAwwUKi5tZXRyaWNpbnNpZ2h0
cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhi0T6Rp8QxxYH
L2kGZDw0NJwBsCV+3ktjfMpH8BWl6R1yG2YJJfp6WVZHJPqAzfX+JApqa9o6f7h8
TwO0CBXlZOmm6KgHv18EN2U+IMu2pn8WmdTap6+D68OZmRtknbDYaxDyU/QJjV3u
/f7a/2X2uNCajfMtidhycubl4rvY8Mh96IDX8o5umM5PN4Fk43mjncbuWJPByzGk
kWiKgCbFJLUyywOYRirWN5lXZe8v3PE31KCjt1VIYB8071ru0ylY8aodYCZMpoSo
rG3ec8mDIkwMeGcb6jxu2Hig8RLXcgM/CB8/Cob2UArsYsJIJt4Bfy7/bFBRozip
0s19f5AZAgMBAAGjggFgMIIBXDAfBgNVHSMEGDAWgBTDnPP800YINLvORn+gfFvz
4gjLWTBXBggrBgEFBQcBAQRLMEkwHwYIKwYBBQUHMAGGE2h0dHA6Ly9ndi5zeW1j
ZC5jb20wJgYIKwYBBQUHMAKGGmh0dHA6Ly9ndi5zeW1jYi5jb20vZ3YuY3J0MA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMwYD
VR0RBCwwKoIUKi5tZXRyaWNpbnNpZ2h0cy5jb22CEm1ldHJpY2luc2lnaHRzLmNv
bTArBgNVHR8EJDAiMCCgHqAchhpodHRwOi8vZ3Yuc3ltY2IuY29tL2d2LmNybDAM
BgNVHRMBAf8EAjAAMEEGA1UdIAQ6MDgwNgYGZ4EMAQIBMCwwKgYIKwYBBQUHAgEW
Hmh0dHBzOi8vd3d3LnJhcGlkc3NsLmNvbS9sZWdhbDANBgkqhkiG9w0BAQsFAAOC
AQEALfCsMphtWwz5XBWL0C5rwjsyNObLwD9NEMNJc4ZQ2m9XrfF2TkL6Yb6UGqHZ
HY0yYfxxIjFyE31cAafT/gjvsFr0uk/P3UNWUK+F1DEz5vpB4s8gFRlo/hq/hif0
f7B2iYqeRnhdMtG0GRKMY9kuXEOpqKK3A2soK5hecFBOwUK02D4/EfF0/Agxignw
nknfiuwAlOvh8obMlldm2os8wl5l8Lcmaw2658TwJyqDDBQeA4+0+1nM0mWknzA6
RCRol9zuMF7iRqTJgxL2zfFz8MbyxmgcUvSIMnYMNZM/+XYzJmlkuK8zG8D/Qt/W
kMBLr4VkMfXhSl093lSxA3tBwg==
-----END CERTIFICATE-----

4. Place your private key and certificate files on the server

Copy your new certificate file onto the Metric Insights server into the /opt/mi/ssl directory. Metric Insights expects these files to be named in the following way:

  • server.crt - your server's public certificate you received from the CA
  • server.key - the private key file you generated
cp <your-server-public-certificate-file>.crt /opt/mi/ssl/server.crt
cp <your-server-private-key>.key /opt/mi/ssl/server.key

5. Optional: update the intermediate certificate chain file

If you require any intermediate certificates,  download all intermediate certificates from your signing authority (or ask your local Network / IT admin) and place them on the MI server:

/opt/mi/ssl/ca.crt

If you do not know, whether or not you need this, you can safely ignore it.

NOTE: The /opt/mi/ssl/ca.crt file is required to exist and be an actual certificate file. If you do not need a certificate file and accidentally deleted ca.crt, please create a link to your server's public certificate with the following command:

ln -s /opt/mi/ssl/server.crt /opt/mi/ssl/ca.crt

6. Test your changes

Test your changes before restarting

Debian:

service apache2 configtest

CentOS / RedHat:

service httpd configtest

7. Restart  

Debian:

service apache2 restart

CentOS / RedHat:

 service httpd restart

8. Verify that the new certificate is in place

Access your instance, and:

  1. Click the Lock icon next to view your site information
  2. Click Details
  3. Select View certificate
  4. Verify Certificate information

8.1. Optionally, you could run the following command

echo | openssl s_client -connect your.metricinsights.host:443 2>/dev/null | openssl x509 -noout -dates

Replace 'your.metricinsights.host' with the hostname or IP address for your Metric Insights server. (This command can be run from a Linux shell prompt on any machine that is able to connect to your Metric Insights server, including the Metric Insights server itself.)

You should get output similar to the following:

notBefore=Mar 18 00:36:43 2015 GMT
notAfter=Mar 20 00:26:42 2018 GMT

0 Comments

Add your comment

E-Mail me when someone replies to this comment