I am setting up a mirror site. Currently we are just using self-signed certificates testing. For production, we would like to use official certificates so users don’t get warnings when browsing the site, not to mention that gives real security.
As I understand, two certificates are required. One is on nginx server which serves the main portal site, the other one is on download server. I am trying to understand what formats are the certificates and how to use them.
For nginx, I checked nginx config, below are what I got:
nginx01:/etc/nginx/sites-enabled$ cat dcc_portal
# Copyright 2014(c) The Ontario Institute for Cancer Research. All rights reserved.
# HTTPS
server {
listen 443;
server_name dcc.icgc.org;
ssl on;
ssl_certificate /etc/ssl/dcc/portal.crt;
ssl_certificate_key /etc/ssl/dcc/portal.key;
location / {
proxy_pass http://web-cluster;
}
}
lxv-icgc-nginx01:/etc/ssl/dcc$ file *
portal.crt: PEM certificate
portal.key: PEM RSA private key
It appears nginx uses PEM certificate and key. So we should get the similar certificate and replace /etc/ssl/dcc/portal.crt and /etc/ssl/dcc/portal.key.
For download server, it is a little unclear what is required. In /srv/dcc-download-server/conf directory, there is a file keystore.p12. So I assume pkcs12 format is accepted. In our testing, we generated a java keystore file with command:
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass <pass word> -validity 3600 -keysize 2048
and we are using it.
My questions (not really DCC portal specific) are:
- What kind of formats should be used with download server? Does it matter?
- I don’t know much about how certificate is used with java application. How do we request a certificate to be used with download server?