How to Use a Signed SSL Certificate with Philter
Describes how to use a signed SSL certificate with Philter.
When Philter is deployed via the AWS Marketplace, Windows Azure Marketplace or other third-party cloud marketplace, SSL will already be enabled via a self-signed certificate. It is recommended you replace this self-signed certificate with a valid certificate issued to your organization by a trusted authority. The instructions for how to do this are described below.
First, create a private key and a certificate signing request (CSR) for Philter on your domain. In this walkthrough we are using the domain philter.yourdomain.com as an example.
1
openssl req -new -newkey rsa:2048 -nodes -keyout philter_yourdomain_com.key -out philter_youdomain_com.csr
Copied!
Submit the CSR to your SSL certificate vendor of choice and complete the SSL certificate ordering process. If prompted for a web server during the process, select Apache or Nginx. Once the process is complete and the certificate is issued you will receive a few files. The files you will need are summarized in the table below. The file names may vary and you may also receive other files as well.
File Name
Description
Creator
philter_yourdomain_com.csr
Certificate signing request
Created by you
philter_yourdomain_com.key
Certificate private key
Created by you
philter_yourdomain_com.ca-bundle
Intermediate certificates provided by the issuing authority
Received from SSL authority
philter_yourdomain_com.crt
The SSL certificate for philter.yourdomain.com
Received from SSL authority
When prompted for a keystore password we will use changeit. It's recommended you use a more secure password.
The first thing to do is to convert the certificate and the private key to PKCS12 format in philter.p12:
1
openssl pkcs12 -export -in philter_yourdomain_com.crt -inkey philter_yourdomain_com.key -name philter -out philter.p12
Copied!
Now import the P12 file into a keystore philter.jks:
1
keytool -importkeystore -deststorepass changeit -destkeystore philter.jks -srckeystore philter.p12 -srcstoretype PKCS12
Copied!
Add the intermediate certificate provided by the issuing authority to the keystore:
1
keytool -import -alias intermediate -trustcacerts -file philter_yourdomain.com.ca-bundle -keystore philter.jks
Copied!
Update Philter's settings in application.properties:
1
# SSL certificate settings
2
server.ssl.key-store-type=JKS
3
server.ssl.key-store=/path/to/philter.jks
4
server.ssl.key-store-password=changeit
5
server.ssl.key-alias=philter
Copied!
Restart Philter:
1
sudo systemctl restart philter
Copied!
Execute an API status request to verify Philter is running as expected. With the -v option we can see the details of the SSL certificate:
1
curl -v https://philter.yourdomain.com:8080/api/status
Copied!
Look in the response for details of the certificate. Our domain was philter.mtnfog.dev:
1
* Server certificate:
2
* subject: CN=philter.mtnfog.dev
3
* start date: Apr 21 00:00:00 2020 GMT
4
* expire date: Apr 21 23:59:59 2021 GMT
5
* subjectAltName: host "philter.mtnfog.dev" matched cert's "philter.mtnfog.dev"
6
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
7
* SSL certificate verify ok.
Copied!
Last modified 1yr ago
Copy link