Installing a Signed SSL Certificate Provided by Authorities

In a default IBM Aspera Shares installation, nginx generates and uses a self-signed SSL certificate. Install a signed certificate provided by authorities to secure your server.

1. Create a working directory

   Go to Start menu > All Programs > Accessories > Command Prompt and create a new working directory:

   > mkdir c:\ssl
   > cd c:\ssl

2. Copy openssl.cnf to your working directory.

   Enter the following commands in your Command Prompt window:

   OS Version	Commands
   32-bit Windows	> copy "c:\Program Files\Aspera\HSTS\etc\openssl.cnf" "c:\ssl\" > cd c:\ssl
   64-bit Windows	> copy "c:\Program Files (x86)\Aspera\HSTS\etc\openssl.cnf" "c:\ssl\" > cd c:\ssl

3. Generate your Private Key (.key) and Certificate Signing Request (CSR) (.csr):
   1. Run the following openssl command, where key_name is the name of the unique key that you are creating and csr_name is the name of your CSR:

      $ openssl req -new -config "c:\ssl\openssl.cnf" -nodes -newkey rsa:2048 -keyout key_name.key -out csr_name.csr 

      Note: Windows does not, by default, have a C:\ssl\ directory. If the directory does not exist on your server, create the directory:

      > mkdir c:\ssl
      > copy "C:Program Files (x86)\Aspera\Enterprise Server\etc\openssl.cnf" "c:\ssl"

   2. Configure the certificate's X.509 attributes.
      Important: The Common Name field must be filled in with the fully qualified domain name of the server to be protected by SSL. If you are generating a certificate for an organization outside of the US, see https://www.iso.org/obp/ui/#search/code/ for a list of 2-letter, ISO country codes.
      For example:

      Generating a 1024 bit RSA private key
      ....................++++++
      ................++++++
      writing new private key to 'my_key_name.key'
      -----
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [US]: US
      State or Province Name (full name) [Some-State]: CA
      Locality Name (eg, city) []: Emeryville
      Organization Name (eg, company) [Internet Widgits Pty Ltd]: IBM Aspera
      Organizational Unit Name (eg, section) []: ASP
      Common Name (i.e., your server's hostname) []: faspex.asperasoft.com
      Email Address []: faspex@asperasoft.com

   3. When prompted, you can enter extra attributes, including an optional challenge password.
      Manually entering a challenge password when starting the server can be problematic in some situations (for example, when starting the server from system boot scripts). You can skip entering values for any extra attribute by hitting the Enter button.

      ...
      Enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []:
      An optional company name []: 

   After finalizing the attributes, the private key and CSR are be saved to your root directory.

   Important:

   • If you make a mistake when running the OpenSSL command, discard the generated files and run the command again.
   • After successfully generating your key and Certificate Signing Request, secure your private key, as it cannot be re-generated.
4. Send CSR to your signing authority.

   You now need to send your newly generated, unsigned CSR to a Certifying Authority (CA). Once the CSR has been signed, you have a real certificate. Follow the key provider's instructions to generate and submit both your private key and the Certificate Signing Request (CSR) to acquire the certificate.

   Important: Some Certificate Authorities provide a Certificate Signing Request generation tool on their Website. Check with your CA for additional information.
5. Rename the certificate files provided with Shares.
   Locate the original cert.pem and cert.key files in C:\Shares\nginx\conf. Rename them as follows:

   • cert.pem to cert.pem.orig
   • cert.key to cert.key.orig

   You can also use the following commands in your command prompt window to rename the files:

   # cd C:\Shares\nginx\conf
   # move cert.pem cert.pem.orig
   # move cert.key cert.key.orig

6. After receiving your signed certificate from your CA, if the CA requires a bundle or intermediate certificate, you need to concatenate the certificates for them to work with nginx. Bundle your intermediate certificate with your primary certificate.

   > type your_domain_name.crt DigiCertCA.crt >> cert.pem

7. Copy your new SSL cert files to C:\Shares\nginx\conf. If the files are named differently, rename the cert file cert.pem and rename the key file cert.key.
8. Restart the web service.
   Go to Start > Administrative Tools > Services. Right-click on the nginx service and select Restart.