Custom SSL Certificates for Advanced Application Security

By December 4, 2014 HowTo No Comments
Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

SSL (Secure Sockets Layer) is the standard security protocol for establishing an encrypted connection between a web server and a browser. This technology ensures that all data passed between them remains private and integral, i.e. it can’t be intercepted by a third party. Such protection is especially important while transferring confidential information like credit card transactions, login credentials etc.

SSL encrypts the data with the help of two keys – a public one that can be known to everyone and a private (secret) key known to the recipient of the transmissible message only. When adjusted at a web server, SSL enables the ability of HTTPS protocol usage (over the 443 port) instead of the default HTTP one while accessing the server’s content.

In order to establish an SSL connection, a web server requires an SSL Certificate to be installed, which represents software that digitally binds a cryptographic key to a holder’s details and site hostname. Usually such a certificate needs to be confirmed by the relevant authorities in order to be verified so that others can trust it, resulting in any connection to the site or application being performed without issues.

Jelastic gives you an opportunity to choose between two available solutions:

  • Jelastic SSL
    You can instantly buy an already trusted Jelastic SSL certificate, avoiding any additional checks and spending time for certificate validation. Note that this solution has two compulsory conditions: it can be applied for the default site domain names only (i.e. with the chosen hoster’s domain at the end) and is not compatible with Public IP address attached to any of the servers in your environment.
  • Custom SSL
    In case you need more opportunities for your application’s hosting, the Custom SSL certificate can be used. For that, you need to generate the appropriate certificate request (according to your custom domain name) and send it to the desired Certificate Authority (CA) for validation.

image12

Jelastic supports numerous types of Custom SSL certificates: for single/multiple domains, self-signed ones (which will be covered in detail in future publications), wildcard, with extended validation, shared etc.

And in this article we’ll show you how to get a single-domain Custom SSL certificate enabled at your environment.

Generate a Custom SSL Certificate

In order to add the Custom SSL certificate to your Jelastic environment, you need to have:

  • custom domain name purchased;
  • server key;
  • intermediate certificate or certificates chain (CA);
  • domain certificate.

Therefore, follow the next instruction:

1. Buy a Domain name using any domain registrar.

2. Generate your server key for the purchased domain name and create a Certificate Request on its basis with the help of any preferred tool.

We’ll use OpenSSL as an example. Depending on the operating system you are using (Windows or Linux/MacOS/FreeBSD), perform the steps in the corresponding instruction section.

For Windows

Download the latest OpenSSL tool version. Extract the received archive and run the tool by double-clicking the openssl.exe file in the bin folder. Subsequently the files created with OpenSSL will appear in the same bin directory by default.

  • First, you need to generate an SSH private server key. For that execute the following command:
genrsa -out {filename} {length}

where

{filename} – name of the output key file with .key extension (e.g. server.key)
{length} – private key length in bits (e.g. 4096)

Note: DO NOT protect your key with a passphrase, otherwise you’ll get an error during its addition to the Jelastic dashboard.

w gen servkey

  • Then you should generate a certificate request based on the prepared key. Create it as follows:
req -config {config_path} -new -key {keyname} -out {filename}

where

{config_path} – path to the openssl.cnf configuration file, located in the directory with extracted OpenSSL files (specified according to the C:\path\to\openssl.cnf format)
{keyname} – your server key name (the one you’ve generated in the previous step, server.key in our case)
{filename} – desired name of the output request file with .csr extension (e.g. server.csr).

You’ll see a set of questions appear. Answer them in order to complete the certificate information with your data.

IMPORTANT: Note that the Common Name parameter value has to be equal to your purchased domain name, otherwise your certificate won’t be validated.

w gen servreq 2

For Linux/MacOS/FreeBSD

In case you don’t have the OpenSSL tool installed yet, get it with the appropriate command (according to your OS package manager) executed within your terminal. E.g. for Ubuntu/Debian Linux distribution use the following one:

sudo apt-get install openssl

When the installation process is completed, proceed to generation of the required files. All newly created with OpenSSL files will appear in the home directory of your local machine user by default.

  • First, you need to generate an SSH private server key. For that run the following command:
openssl genrsa -out {filename} {length}

where

{filename} – name of the output key file with .key extension (e.g. server.key)
{length} – private key length in bits (e.g. 4096)

Note: DO NOT protect your key with a passphrase, otherwise you’ll get an error during its addition to the Jelastic dashboard.

l gen servkey

  • Then you should generate a certificate request based on the prepared key. Create it as follows:
openssl req -new -key {keyname} -out {filename}

where

{keyname} – your server key name (the one you’ve generated in the previous step, server.key in our case)
{filename} – desired name of the output request file with .csr extension (e.g. server.csr).

You’ll see a set of questions appear. Answer them in order to complete the certificate information with your data.

IMPORTANT: Note that the Common Name parameter value has to be equal to your purchased domain name, otherwise your certificate won’t be validated.

l gen servreq 2

3. Send the Certificate Request you’ve received to your preferred Certificate Authority (CA) company for signing.

4. The chosen CA checks the identity of the domain owner and (if everything is ok) sends the Intermediate certificate and Domain certificate back to you.

Once you’ve received all the required files, you can proceed to configuring your environment.

Adjust Environment Topology

In order to be secured with a Custom SSL certificate, your environment should have custom domain and Public IP address attached to your application server

For Python and Node.js applications, your environment should also include the NGINX-balancer server. In this case, the external IP address should be attached to the balancer instead of application server as NGINX becomes the entry point of your app.

It’s also applicable to other programming languages in case you are going to adjust a clustered solution with several application servers for your app hosting, as you’ll get the load balancer automatically added in front of your environment.

1. Log into the Jelastic dashboard and Create a new environment (or click the Change environment topology button for an existing one).

2. In the opened Environment Topology dialog, switch to the SSL wizard section and check if all the Custom SSL requirements are fulfilled (i.e. if all the options in the requirements list are marked with a green tick).

env wiz

If they are not, Jelastic can help you to Adjust your environment in just a one click. For that select the appropriate button next to the list of requirements and your environment topology will be instantly tuned according to them.

adjust

To complete the adjustment, click Create for a new environment or click on Apply in case you’ve edited the existing one.

Domain Name and A Record Settings

Now you need to set an A Record in order to point your custom domain name to the Public IP address of your application.

1. Select the additional button gear for a node with the external IP attached in your environment (i.e. for the NGINX-balancer server in case of Python/Node.js usage, or for the application server in all other cases).

You’ll see the list of IPs, wherein the second one is the required Public IP address. Click on it to select the whole line and copy the digits to your clipboard.

public ip

2. Then, navigate to DNS Manager of the chosen domain registrar system (the one you’ve used for your custom domain name purchase) and set an A Record within it.

Additional information and a detailed example can be found in the appropriate document (starting at the 5th step of the Domain Name and A Record Settings section).

Upload Certificate to the Environment

The last step you need to perform, is to upload the certificate files to your Jelastic environment.

1. Click Settings for the configured environment.

settings

2. In the opened tab, choose the Custom SSL option within the left-hand list.

Upload Server key, Intermediate certificate (CA) and Domain certificate into the appropriate fields.

custom ssl

If you’ve got an error at this stage, ensure your server key is not protected with a passphrase. Otherwise, remove the protection with the following command and try to upload the files again:

openssl rsa -in {keyname} -out {new-keyname}

Click Save.

When the servers in your environment are automatically restarted, let’s ensure everything works properly. For that, enter the binded custom domain name (or the attached external IP address) into your browser’s address bar with https:// connection protocol specified instead of the default http:// one. Your application should be opened without any problems.

https 2

That’s all! Now you can be confident that all of the received/sent application data is secured and encrypted.

Subscribe to our blog so that you don’t miss the upcoming instruction on the Self-Signed SSL certificates’ generation and installation. Register now to start your 2-week free trial and get a significant level of security for your domain names!

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Leave a Reply

Subscribe to get the latest updates