Table of Contents:
- Introduction
- Requirements
- Populating the information
- Getting the required information
4.a Generate Private Key
4.b Self Signed only: Generate CA Key
4.c Self Signed Only: Generate CSR for CA
4.d Self Signed Only: Create the Self CA signed rootCertificate
4.e Generate your csr (signed with your private key)
4.f Obtain your signed Certificate
4.g Verify the Certificate obtained -
Introduction
This article will show you how to install certificate for Nexus Dashboard. I will demonstrate how to add a self signed certifiacte and also a CA verified Certifcate at the same time. The steps that can be ommitted for the CA verifed Certificate will be marked clearly.
Requirements
- If you need to generate the keys/certificates, you will need any platform that has linux base OS, MAC. You could also ssh in to the ND with rescue-user to perform these steps there.
- You will also need openssl utility which is almost always present all the time. If not just use apt/yum/brew to install.
- ⚠️ You need a take a backup of your ND just in case
Populating the information.
Start Populating the Information in the ND UI if you already have the below information:
nd.key — your private key
nd.crt — your CA signed certificate
ca.crt — CAs Public Certificate
📗 Note: the contents that you will need to paste in can be copied to buffer and pasted in. You can do a cat command to view the contents and copy to buffer. e.g. cat nd.key, cat nd.crt, cat ca.crt
If you don’t have the above keys and certificates, then, go to Getting the required information section that will show you how to obtain the above information and come back to this.
On the ND Screen, go to Administrative/Security and click on the Edit button
Figure 1: Security Settings.
On the Next screen populate with the following:
- Key: Paste Your Pivate Key Contents
- RSA Certificate: Put Your CA signed or Self Signed Certificate Contents
- Root Certificate: Put the CA Certificate (Real CA or Self CA) contents here. Also populate Intermediate Certificate contents if there is one and click on Save
Figure 2: Populating the information on ND UI
That’s all there is to it. The UI of the ND will reload and you should be able to get back in after a few moments from your browser.
Getting the required information
Generate Private Key
openssl genrsa -out nd.key 2048
you will now see the key in the directory.
Figure 3: Generating the Private Key
Self Signed only: Generate CA Key
Skip this step if you are going to use a real CA.
openssl genrsa -out ca.key 2048
Figure 4: Generating the CA Key
Self Signed Only: Generate CSR for CA
Skip this step if you are going to use a real CA.
openssl req -new -key ca.key -subj "/CN=Self/C=US/O=Private/ST=Texas" -out ca.csr
You will now also see a ca.csr
Figure 5: Generating the CA csr
💡Optional: you can see the contents of the csr with the command:
openssl req -in ca.csr -text -noout
Self Signed Only: Create the Self CA signed root Certificate
Skip this step if you are going to use a real CA.
openssl x509 -req -in ca.csr -signkey ca.key -CAcreateserial -out ca.crt -days 3650
You will now also see a ca.crt
Figure 6: Generating the Private CA root certificate
💡Optional: you can see the contents of the Private CA certificate with the command:
openssl x509 -in ca.crt -text -noout
Generate your csr (signed with your private key)
First create a csr.cfg file, so you can pass in the required information. You can copy and paste the below and modify based on your requirements.
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
countryName = US
stateOrProvinceName = Texas
localityName = Plano
organizationName = CSS
organizationalUnitName = DC
commonName = nd.dc.css
emailAddress = no-reply@mydomain.com
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.dc.css
IP.1 = 10.0.0.96
IP.2 = 10.0.0.97
Next, generate your csr
openssl req -new -key nd.key -out nd.csr -config csr.cfg
You will now also see a nd.csr
Figure 7: Generating your CSR
💡Optional: you can see the contents of the csr with the command:
openssl req -in nd.csr -text -noout
Obtain your signed Certificate
For a production deployment you will want to go with a Public CA authority for example DigiCert, Entrust Datacard, Globalsign,GoDaddy, Let’s Encrypt, Sectigo etc.
You will have to submit your CSR to the CA and the CA will verify your identity and issue you a signed certificate based on your csr.
For the Self Signed option you will have to generate your own singed certificate using the generated csr and the self generated ca.key and ca.crt
openssl x509 -req -in nd.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out nd.crt -days 3600
You will now have the certificate file nd.crt
Figure 8: obtaining the certificate
Verify the Certificate obtained
It’s probably a good idea to verify the certifate was:
-
signed properly
openssl verify --verbose -CAfile ca.crt nd.crt
Figure 9: Certificate was signed properly -
the hashes for the key and crt match
openssl x509 -modulus -noout -in nd.crt | shasum
openssl rsa -modulus -noout -in nd.key | shasum
Figure 10: shasum hash check
openssl x509 -modulus -noout -in nd.crt | md5sum
openssl rsa -modulus -noout -in nd.key | md5sum
Figure 11: md5sum hash check
- contents are correct, including expiration date
openssl x509 -in nd.crt -text -noout
Figure 12: Verifying contents of certificate
Now, you have all the 3 items you need to install the certificates.
nd.key — your private key
nd.crt — your CA signed certificate
ca.crt — CAs Public Certificate
Figure 13: Obtained all items needed to install cert in ND
While copying the contents, please make sure to include the headers as shown below in the boxed red.
Figure 14: Contents of ca.crt to be pasted in Root Certifcate Area
Figure 15: Contents of nd.crt to be pasted in RSA Certificate Area
Figure 16: Contents of nd.key to be pasted in the Key Area
⚠️ Make sure to store these files in safe place.
Now, go to Populating the information Section for reference.