Add Your Own TLS Certificates to Web Servers
Context
This assumes that my domain is contoso.org
I've generated a *.contoso.org
certificate for my Wazuh infrastructure's web interfaces. I have the following DNS records in my environment:
wazuh-dashboards.contoso.org
owlh-manager.contoso.org
My certificate files have been saved as:
star.contoso.org.key
-- private key filestar.contoso.org.crt
-- base64-encoded certificate file
Wazuh Dashboards
Copy the star.constoso.org.key
and star.contoso.org.crt
files to the Wazuh Dashboards server. You can use a utility such as scp
or ftp
to achieve this task. Below is an example using scp
:
# Copy the files to the /tmp directory on the server
scp star.contoso.org.key user.name@wazuh-dashboards.contoso.org:/tmp
scp star.contoso.org.crt user.name@wazuh-dashboards.contoso.org:/tmp
Now, open a logon shell on the target and complete the following commands (read the comments in the code block):
# The certificate and key files were copied to /tmp
# Now move them to the /etc/wazuh-dashboard/certs directory
sudo mv /tmp/star.contoso.org.key /etc/wazuh-dashboard/certs
sudo mv /tmp/star.contoso.org.crt /etc/wazuh-dashboard/certs
# Set the correct permissions on the files
sudo chown wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs/star.contoso.org.key
sudo chown wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs/star.contoso.org.crt
sudo chmod 400 /etc/wazuh-dashboard/certs/star.contoso.org.key
sudo chmod 644 /etc/wazuh-dashboard/certs/star.contoso.org.crt
# Edit the opensearch_dashboards.yml file to map to the new certificates
sudo nano /etc/wazuh-dashboard/opensearch_dashboards.yml
Add the certificates to the Wazuh Dashboards server and modify the configuration file
server.ssl.key: "/etc/wazuh-dashboard/certs/star.contoso.org.key"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/star.contoso.org.crt”
Edit these lines in the configuration file and save it
sudo systemctl restart wazuh-dashboard.service
Restart the Wazuh Dashboard service
OwlH Manager
Copy the star.constoso.org.key
and star.contoso.org.crt
files to the Wazuh Dashboards server. You can use a utility such as scp
or ftp
to achieve this task. Below is an example using scp
:
# Copy the files to the /tmp directory on the server
scp star.contoso.org.key user.name@owlh-manager.contoso.org:/tmp
scp star.contoso.org.crt user.name@owlh-manager.contoso.org:/tmp
Now, open a logon shell on the target and complete the following commands (read the comments in the code block):
# The certificate and key files were copied to /tmp
# Now move them to the /etc/ssl directory
sudo mv /tmp/star.contoso.org.key /etc/ssl
sudo mv /tmp/star.contoso.org.crt /etc/ssl
# Set the correct permissions on the files
sudo chown root:root /etc/ssl/star.contoso.org.key
sudo chown root:root /etc/ssl/star.contoso.org.crt
sudo chmod 440 /etc/ssl/star.contoso.org.key
sudo chmod 644 /etc/ssl/star.contoso.org.crt
Move the certificate files to their destination and set permissions
Apache
sudo nano /etc/apache2/sites-available/owlh
Edit the OwlH Apache configuration file
SSLCertificateFile /etc/ssl/star.contoso.org.crt
SSLCertificateKeyFile /etc/ssl/star.contoso.org.key
Replace the existing SSL configurations with these
sudo systemctl restart apache2.service
Restart Apache
OwlH API
sudo nano /usr/local/owlh/src/owlhmaster/conf/app.conf
Edit the OwlH application server configuration
HTTPSCertFile = "conf/certs/star.contoso.org.crt"
HTTPSKeyFile = "conf/certs/star.contoso.org.key"
Replace or add these lines to map to your certificate files
sudo nano /var/www/owlh/conf/ui.conf
Edit the UI configuration file
"ip":"hostname.domain.tld"
Change the IP configuration to use the FQDN
Addendum
Converting PFX Format to OpenSSL Format
You may have a certificate in the .pfx
format, especially if you exported a certificate from a Windows server. Use these commands to output the contents of this file such that the private key and certificate are two distinct files.
Extract the Private Key
openssl pkcs12 -nodes -in file.pfx -nocerts -out star.contoso.org.key
Extract the Certificate
openssl pkcs12 -in file.pfx -clcerts -nokeys -out star.contoso.org.crt