Installing SSL certificates

Install a valid and signed SSL certificates on your HSTS. The SSL certificates are the Aspera Node Service and the IBM Aspera HTTPD Service.

About this task

Requirements:

A signed root certificate or certificate bundle (root certificate with chained or intermediary certificates) from an authorized certificate authority. For instructions on generating an SSL certificate, see Setting up SSL for your nodes.
The certificate is in .pem format. Other formats are not supported.
Note: Remove any passphrase that you set on your private key as this might cause additional issues when restarting the Aspera services in the following steps.

Procedure Overview:

The procedure modifies or creates three files:

aspera_server_key.pem

Created automatically during transfer server installation.
Found in the default Aspera installation directory: C:\Program Files\Aspera\Enterprise Server\etc
Contains the default private key.
In this procedure, you replace the default private key with the new private key that is generated with the certificate signing request (CSR).
Instance.

aspera_server_cert.pem

Append only.

Created automatically during transfer server installation.
Found in the default Aspera installation directory: C:\Program Files\Aspera\Enterprise Server\etc
Contains the default self-signed certificate.
In this procedure, you replace the default self-signed certificate with the content that is described in step 3.

aspera_server_cert.chain

You create this file, as described in the following steps.
You place the file in the same directory as aspera_server_key.pem and aspera_server_cert.pem.
You place the server certificate, followed by the certificate bundle (chained or intermediary certificates) from the CA in this file.

Changing file names and locations:

If wanted, the default file names and locations of the certificate files and chain files can be changed by configuring settings in the transfer server's aspera.conf file, by using asconfigurator commands:

> asconfigurator -x "set_http_server_data;cert_file,path/certfile.pem"
 > asconfigurator -x "set_http_server_data;key_file,path/keyfile.pem"
 > asconfigurator -x "set_server_data;cert_file,path/certfile.pem"

Note: The chain file for asperanoded must match the location and name of the asperanoded certificate file, but with the .chain extension.

The commands add the following text to aspera.conf:

<http_server>
    ...
    <key_file>path/keyfile.pem</key_file>     <!-- key file for asperahttpd -->
    <cert_file>path/certfile.pem</cert_file>  <!-- cert file for asperahttpd -->
    ...
</http_server>

<server>
    ...
    <cert_file>path/certfile.pem</cert_file>  <!-- cert file for asperanoded -->
    ...
</server>

Installing the SSL certificates:

Procedure

Back up the default private key and self-signed certificate, by using the following commands:

C:\>cd C:\Program Files\Aspera\Enterprise Server\etc
C:\> copy aspera_server_key.pem aspera_server_key.pem.bak
C:\> copy aspera_server_cert.pem aspera_server_cert.pem.bak

Open aspera_server_key.pem and replace the existing content with the new private key that is generated with the certificate signing request (CSR). Save and close the file.
In aspera_server_cert.pem, replace the existing content with the server certificate. Save and close the file.
If you have intermediary certificates, which depend on the way the CA provided the certificate files, create a certificate chain file that is named aspera_server_cert.chain and save it in the same directory as the .pem files.
The following is the order that the certificates must follow in the .chain file:
- The server certificate.
- The certificates bundle.
If your intermediate files are in separate files, you must concatenate the server and intermediary to the aspera_server_cert.chain file, in the following order:
- The server certificate
- Any chained or intermediary certificates from the CA in order of ascending authority, for example,
  intermediary certificate 1 intermediary certificate 2 intermediary certificate 3
For example, the content of the aspera_server_cert.chain file must look similar to:
```
-----BEGIN CERTIFICATE----
 (Your Primary SSL certificate: your_server_certificate.crt)
 -----END CERTIFICATE------
    -----BEGIN CERTIFICATE----
    (Intermediate certificate #1)
    -----END CERTIFICATE------
    -----BEGIN CERTIFICATE----
    (Intermediate certificate #2)
    -----END CERTIFICATE------
    -----BEGIN CERTIFICATE----
    (Intermediate certificate #3)
    -----END CERTIFICATE------
-----BEGIN CERTIFICATE----
 (Root certificate)
-----END CERTIFICATE------
```
Restart IBM Aspera Central, the IBM Aspera HTTPD Service, and the Aspera Node Service:
```
> sc stop asperacentral
> sc start asperacentral
> sc stop asperahttpd
> sc start asperahttpd
> sc stop asperanoded
> sc start asperanoded
```
You can also stop and start these services from the Windows Services Panel. Open Search from the taskbar and type Services. In the Services window that appears, select the service that you want to stop and restart. Then right-click and select Stop; then repeat and select Restart.

Verify the certificates by using OpenSSL.

Test that you can connect to the Aspera Node Service by running the following command:

> openssl s_client -connect myserver:9092

This example assumes that you are using the default node port (HTTPS 9092). Replace myserver with the IP address or hostname of your server. The command returns 0 for success or 1 for failure.

Output examples:

Success: The following sample output shows that verification was successful because verify return is 0.

depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - 
For authorized use only", CN = VeriSign Class 3Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0

Failure: The following sample output shows that the verification failed because verify return is 1.

depth=0 C = US, ST = California, L = Emeryville, O = IBM, OU = Aspera Inc IT Department, CN = *.asperafiles.com
verify error:num=20:unable to get local issuer certificate
 verify return:1
depth=0 C = US, ST = California, L = Emeryville, O = IBM, OU = Aspera Inc IT Department, CN = *.asperafiles.com
verify error:num=27:certificate not trusted
 verify return:1
depth=0 C = US, ST = California, L = Emeryville, O = IBM, OU = Aspera Inc IT Department, CN = *.asperafiles.com
verify error:num=21:unable to verify the first certificate
 verify return:1

Note: You must see as many elements in the output as there are certificates in the chain. In the following examples there is one root certificate and two chained certificates, so the output must show three elements to prove that the installation was successful.

Success: The following example shows a successful verification for one root certificate and two intermediary certificates in the chain:

Certificate chain
 0 s:/C=US/ST=California/L=Emeryville/O=IBM/OU=Aspera Inc IT Department/CN=*.asperafiles.com
 i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

Failure: The following example shows an unsuccessful verification, since only the root certificate is displayed.

Certificate chain
 0 s:/C=US/ST=California/L=Emeryville/O=IBM/OU=Aspera Inc IT Department/CN=*.asperafiles.com
 i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4

If verification fails, inspect your certificate content by running the following command:
```
> openssl x509 -in certificate.crt -text -noout
```