One of the most common cases we get up here in support is helping customers with their SSL certificates (or TLS or HTTPS domain, depending on your verbiage of choice). This is an easy task to perform.
Log in to the appliance through console access or SSH into the device. From there, type:
Scrut_util.exe
set ssl on
Follow the prompts.
What is the secure tcp port to be used [443]? 443
What is the two-letter abbreviation for your country? US
What is the state/province of your organization? ME
What is the city of your organization? Kennebunk
What is the name of your organization? Plixer
What is the organizational unit ? Support
What is the contact’s email address? [email protected]
What is the server name or IP of the Scrutinizer server? 10.1.15.11
What is the key encryption size? (2048, 4096) [2048]? 4096
There! That was an easy topic! See you all next…
What? You have a signed certificate?
…Well, we can easily set that up too.
How to Enable SSL with a Signed Certificate
A signed certificate can be (and usually is) paired with a key. For simplicity’s sake, we will want to rename your cert and key to ca.csr and ca.key for the names of the files we are creating.
After running the -ssl on scrut_util command, find the ca.csr file found in /etc/pki/tls/certs.
Send the server.csr or ca.csr file to the Certificate Authority (CA). Ask them to sign it and return it as Base64 encoded and not DER encoded.
Once you receive the signed SSL cert, stop the Apache service.
service httpd stop
Now replace the active SSL cert with the new one.
To do this, move the current ca.crt to ca.crt.bak to back up the original certificate.
mv ca.crt ca.crt.bak
Then create the ca.crt file and paste in the new cert.
vi ca.crt
Write and quit.
:wq
Alternatively, you can SCP the file to Scrutinizer.$ scp foobar.txt [email protected]:/etc/pki/tls/certs
Restart Apache.
service httpd restart
If there is a key, navigate to /etc/pki/tls/private.
mv ca.key ca.key.bak
Then you can either SCP the file to the correct location or create a new file and paste the key in.
Write and quit.
:wq
Finally, restart Apache.
service httpd restart
Troubleshooting
If you happen to get a error message when restarting apache. Contact support or you may check
journalctl -xe
This is the first place I go to troubleshoot. Usually the cert is not encoded in Base64 or the key is not in the proper location. If a problem arises we probably have seen it, so give us a call.
If you find these steps to be difficult or come across bumps on the way, please reach out to support at 207.324.8805 *4. We can get you up and running.
While setting up SSL, you might like this blog from my colleague Joanna on Setting Up LDAP with Scrutinizer.
