How to Use a Signed SSL Certificate with Airlock
When Airlock is deployed via the AWS Marketplace, Windows Azure Marketplace or other third-party cloud marketplace, SSL will already be enabled via a self-signed certificate. It is recommended you replace this self-signed certificate with a valid certificate issued to your organization by a trusted authority. The instructions for how to do this are described below.
First, create a private key and a certificate signing request (CSR) for Airlock on your domain. In this walkthrough we are using the domain airlock.yourdomain.com
as an example.
openssl req -new -newkey rsa:2048 -nodes -keyout philter_yourdomain_com.key -out philter_youdomain_com.csr
Submit the CSR to your SSL certificate vendor of choice and complete the SSL certificate ordering process. If prompted for a web server during the process, select Apache or Nginx. Once the process is complete and the certificate is issued you will receive a few files. The files you will need are summarized in the table below. The file names may vary and you may also receive other files as well.
File Name | Description | Creator |
---|---|---|
philter_yourdomain_com.csr |
Certificate signing request | Created by you |
philter_yourdomain_com.key |
Certificate private key | Created by you |
philter_yourdomain_com.ca-bundle |
Intermediate certificates provided by the issuing authority | Received from SSL authority |
philter_yourdomain_com.crt |
The SSL certificate for airlock.yourdomain.com | Received from SSL authority |
When prompted for a keystore password we will use changeit
. It's recommended you use a more secure password.
The first thing to do is to convert the certificate and the private key to PKCS12 format in airlock.p12
:
openssl pkcs12 -export -in philter_yourdomain_com.crt -inkey philter_yourdomain_com.key -name airlock -out airlock.p12
Now import the P12 file into a keystore airlock.jks
:
keytool -importkeystore -deststorepass changeit -destkeystore airlock.jks -srckeystore airlock.p12 -srcstoretype PKCS12
Add the intermediate certificate provided by the issuing authority to the keystore:
keytool -import -alias intermediate -trustcacerts -file philter_yourdomain.com.ca-bundle -keystore airlock.jks
Update Airlock's settings in application.properties
:
# SSL certificate settings
server.ssl.key-store-type=JKS
server.ssl.key-store=/path/to/airlock.jks
server.ssl.key-store-password=changeit
server.ssl.key-alias=airlock
Restart Airlock:
sudo systemctl restart airlock
Execute an API status request to verify Airlock is running as expected. With the -v
option we can see the details of the SSL certificate:
curl -v https://airlock.yourdomain.com:8080/api/status
Look in the response for details of the certificate. Our domain was airlock.mtnfog.dev
:
* Server certificate:
* subject: CN=airlock.mtnfog.dev
* start date: Apr 21 00:00:00 2020 GMT
* expire date: Apr 21 23:59:59 2021 GMT
* subjectAltName: host "airlock.mtnfog.dev" matched cert's "airlock.mtnfog.dev"
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
* SSL certificate verify ok.