Total Application Security AMI SSL Configuration

To handle secure website URLs (HTTPS), Indusface Total Application Security WAF requires SSL certificates and configuration. It supports only CRT file formats. This page will guide you to convert the P12, PFX, PEM, JKS formats into CRT format.

Supported SSL File Format Configuration

There are two types of configurations for the supported SSL file formats.

P12, PFX, PEM, JKS file format Configuration

Prerequisites:

File Format
Password
JKS Key Password, Keystore Password
PFX/P12 Key Password

SSL Conversion Steps

Follow the steps below to migrate the SSL from your machine to Indusface Total Application Security- WAF AMI with the appropriate file format (CRT).

  1. Copy the certificates to the Indusface TAS-AMI using any file transfer tool into /home/ec2-user.

  2. Log into your AMI using any SSH client (E.g. PuTTY).
    • Specify the destination Host Name or IP Address of the WAF AMI and use the associated Key Pair (same key pair associated while launching the AMI instance from the AWS Marketplace.)

  3. A terminal will open up. Specify the Username ec2-user and then proceed with authentication.

  4. Switch to root user by executing the command sudo su –.

  5. Copy SSL files to /mnt directory by executing the command cp <cert_filename> /mnt.

  6. Now run the command ls to list all the certificates in the /mnt directory.
  7. Make sure not more than one file exists with the same extension in /mnt.
  8. Change the directory to /media using the command cd /media.

  9. Run the command ls to list the contents of the directory. It will return the file convert_ssl.sh.

  10. Run the command ./convert_ssl.sh <file_format> <domain_name> and press ‘y’ to provide password to convert the files into CRT file format.

    Example: ./convert_ssl.sh p12 www.yourdomain.com.
  11. If the certificate file is not password protected, click enter to proceed.

  12. All the converted files will be placed automatically in /etc/httpd/SSL folder.

  13. A success message will appear. To ensure, change directory to cd /etc/httpd/ssl and run the command ls to list all the files in the folder, the following files should be listed.
    <domain_name>.crt
    <domain_name>-server.key
    <domain_name>-chain.crt
If the conversion is not successful, please contact Indusface Support at support@indusface.com.

After completion of SSL configuration, follow the Traffic Routing steps.

CRT file format Configuration
This is the automated way of uploading SSL Certificates. To manually upload click Skip before entering the information.
  1. Open the Certificates in the text editor, for example, Notepad, Notepad++ for Windows Operating System and vi editors for Linux Operating System.

  2. Copy the content of Private Key and paste it in Private Key field. For verification purpose you can see"--END RSA PRIVATE KEY--" at the end of the content.

  3. Copy the content of Certificate and paste it in Certificate field. For verification purpose you can see"--END CERTIFICATE--" at the end of the content.

  4. Copy the content of Chain Certificate and paste it in Chain Certificate field. For verification purpose, you can see--END CERTIFICATE--" at the end of the content.

  5. After adding the information click Submit.
Uploading Chain Certificate is optional, whereas Private Key and Certificate are mandatory.

Follow the steps to upload SSL Certificates manually:

Consider your domain name as "yourdomain.com" and rename the SSL certificates as per your domain name in the format mentioned in the table.

If you have multiple Chain files, put all the files in yourdomain.com-chain.crt file.

Certificate
Format
Server Certificate yourdomain.com.crt
Private Key Certificate yourdomain.com-server.key
Chain File yourdomain.com-chain.crt

Follow the steps below to migrate the SSL from your machine to Indusface Total Application Security- WAF AMI

  1. Copy the above files from your machine to the Indusface TAS AMI by any file transfer tool into /tmp directory.

  2. Log into your AMI using any SSH client (E.g. PuTTY).
    1. Specify the destination Host Name or IP Address of the WAF AMI and use the associated Key Pair (same key pair associated while launching the AMI instance from the AWS Marketplace).
  3. A terminal will open up. Specify the Username ec2-user and then proceed with authentication.
  4. Switch to root user by executing the command sudo su –.
  5. Change the directory to cd /etc/httpd/ssl/.

  6. Run the below command to copy the files from /tmp directory to /etc/https/ssl/ (cp /tmp/yourdomain* /etc/httpd/ssl/).

  7. Run the command to rename the apache configuration file.
    mv /etc/httpd/indusface/<yourdomain>.conf.disabled /etc/httpd/indusface/<yourdomain>.conf.

  8. Run the command to restart the apache systemctl restart httpd.service.
Removing passphrase from the private key
  1. To remove the passphrase from a private key type the command
    "openssl rsa -in yourdomain.com-server.key -out yourdomain.com-server.key1".

  2. Enter the pass phrase for the website.

  3. Create a backup file of yourdomain.com-server.key by executing the command
    mv yourdomain.com-server.key yourdomain.com-server.key_bak

  4. Rename the file yourdomain.com-server.key1 to yourdomain.com-server.key by executing the command
    mv yourdomain.com-server.key1 yourdomain.com-server.key

  5. Now type the command ls to list the certificates, the following files should be listed.

    yourdomain.com.crt 

    yourdomain.com-server.key 

    yourdomain.com-server.key_bak 

    yourdomain.com-chain.crt

  6. After completion of SSL configuration, follow the Traffic Routing.

How did we do?