SecurityCenter ships with its own default SSL certificate; however, in many cases it is desirable to obtain a custom SSL certificate for enhanced security.
Note: In the example below, two certificate files were received from the CA: “host.crt” and “host.key”. These file names will vary depending on the CA used.
Tip: The custom certificate email address must not be “SecurityCenter@SecurityCenter” or subsequent upgrades will not retain the new certificate.
Use the steps below to upload a custom SSL certificate to your SecurityCenter:
Backup the current certificates that are located in the /opt/sc/support/conf directory. These files are named SecurityCenter.crt and SecurityCenter.key. In the example below, we are placing the files in /tmp.
# cp /opt/sc/support/conf/SecurityCenter.crt /tmp/SecurityCenter.crt.bak
# cp /opt/sc/support/conf/SecurityCenter.key /tmp/SecurityCenter.key.bak
Copy the new certificates (e.g., host.crt and host.key) to the /opt/sc/support/conf directory and overwrite the current certificates. If prompted to overwrite, press “y”.
# cp host.crt /opt/sc/support/conf/SecurityCenter.crt
# cp host.key /opt/sc/support/conf/SecurityCenter.key
Make sure the files have the correct permissions (644) and ownership (tns) as follows:
# ls -l /opt/sc/support/conf/SecurityCenter.crt
-rw-r--r-- 1 tns tns 4389 May 15 15:12 SecurityCenter.crt
# ls -l /opt/sc/support/conf/SecurityCenter.key
-rw-r--r-- 1 tns tns 887 May 15 15:12 SecurityCenter.key
Caution: If an intermediate certificate is required, it must be copied to the system and given the correct permissions (644) and ownership (tns). Additionally, the line in /opt/sc/support/conf/vhostssl.conf that begins with #SSLCertificateChainFile must have the “#” removed from the beginning of the line to enable the setting. Modify the path and filename to match the certificate that was uploaded.
Restart the SecurityCenter services:
# service SecurityCenter restart