Skip to main content

Add Your Own TLS Certificates to Web Servers

Context

This assumes that my domain is contoso.org I've generated a *.contoso.org certificate for my Wazuh infrastructure's web interfaces. I have the following DNS records in my environment:

  • wazuh-dashboards.contoso.org
  • owlh-manager.contoso.org

My certificate files have been saved as:

  • star.contoso.org.key -- private key file
  • star.contoso.org.crt -- base64-encoded certificate file

Wazuh Dashboards

Copy the star.constoso.org.key and star.contoso.org.crt files to the Wazuh Dashboards server. You can use a utility such as scp or ftp to achieve this task. Below is an example using scp:

# Copy the files to the /tmp directory on the server
scp star.contoso.org.key user.name@wazuh-dashboards.contoso.org:/tmp
scp star.contoso.org.crt user.name@wazuh-dashboards.contoso.org:/tmp

Now, open a logon shell on the target and complete the following commands (read the comments in the code block):

# The certificate and key files were copied to /tmp
# Now move them to the /etc/wazuh-dashboard/certs directory
sudo mv /tmp/star.contoso.org.key /etc/wazuh-dashboard/certs
sudo mv /tmp/star.contoso.org.crt /etc/wazuh-dashboard/certs

# Set the correct permissions on the files
sudo chown wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs/star.contoso.org.key
sudo chown wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs/star.contoso.org.crt
sudo chmod 400 /etc/wazuh-dashboard/certs/star.contoso.org.key
sudo chmod 644 /etc/wazuh-dashboard/certs/star.contoso.org.crt

# Edit the opensearch_dashboards.yml file to map to the new certificates
sudo nano /etc/wazuh-dashboard/opensearch_dashboards.yml

Add the certificates to the Wazuh Dashboards server and modify the configuration file

server.ssl.key: "/etc/wazuh-dashboard/certs/star.contoso.org.key"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/star.contoso.org.crt”

Edit these lines in the configuration file and save it

sudo systemctl restart wazuh-dashboard.service

Restart the Wazuh Dashboard service

OwlH Manager

Copy the star.constoso.org.key and star.contoso.org.crt files to the Wazuh Dashboards server. You can use a utility such as scp or ftp to achieve this task. Below is an example using scp:

# Copy the files to the /tmp directory on the server
scp star.contoso.org.key user.name@owlh-manager.contoso.org:/tmp
scp star.contoso.org.crt user.name@owlh-manager.contoso.org:/tmp

Now, open a logon shell on the target and complete the following commands (read the comments in the code block):

# The certificate and key files were copied to /tmp
# Now move them to the /etc/ssl directory
sudo mv /tmp/star.contoso.org.key /etc/ssl
sudo mv /tmp/star.contoso.org.crt /etc/ssl

# Set the correct permissions on the files
sudo chown root:root /etc/ssl/star.contoso.org.key
sudo chown root:root /etc/ssl/star.contoso.org.crt
sudo chmod 440 /etc/ssl/star.contoso.org.key
sudo chmod 644 /etc/ssl/star.contoso.org.crt

Move the certificate files to their destination and set permissions

Apache

sudo nano /etc/apache2/sites-available/owlh

Edit the OwlH Apache configuration file

SSLCertificateFile /etc/ssl/star.contoso.org.crt
SSLCertificateKeyFile /etc/ssl/star.contoso.org.key

Replace the existing SSL configurations with these

sudo systemctl restart apache2.service

Restart Apache

OwlH API

sudo nano /usr/local/owlh/src/owlhmaster/conf/app.conf

Edit the OwlH application server configuration

HTTPSCertFile = "conf/certs/star.contoso.org.crt"
HTTPSKeyFile = "conf/certs/star.contoso.org.key"

Replace or add these lines to map to your certificate files

sudo nano /var/www/owlh/conf/ui.conf

Edit the UI configuration file

"ip":"hostname.domain.tld"

Change the IP configuration to use the FQDN

Addendum

Converting PFX Format to OpenSSL Format

You may have a certificate in the .pfx format, especially if you exported a certificate from a Windows server. Use these commands to output the contents of this file such that the private key and certificate are two distinct files.

Extract the Private Key

openssl pkcs12 -nodes -in file.pfx -nocerts -out star.contoso.org.key

Extract the Certificate

openssl pkcs12 -in file.pfx -clcerts -nokeys -out star.contoso.org.crt

Back to top