Install custom signed certificate on Avamar
1) SSH to the Avamar Server
2) Backup the existing certificate file
cp /etc/apache2/ssl.crt/server.crt /etc/apache2/ssl.crt/server.crt.bak
cp /etc/apache2/ssl.key/server.key /etc/apache2/ssl.key/server.key.bak
optional:
cp /etc/apache2/ssl.crt/CA.crt /etc/apache2/ssl.crt/CA.crt.bak
cp /etc/apache2/ssl.crt/intermediate.cer /etc/apache2/ssl.crt/intermediate.cer.bak
cp /etc/apache2/servercert.p12 /etc/apache2/servercert.p12.bak
3) Regenerate the security certificate and keys:
openssl req -x509 -new -newkey rsa:3072 -nodes -keyout /etc/apache2/ssl.key/server.key -sha512 -out /etc/apache2/ssl.crt/server.crt -days 1825 -subj "/C=Country/ST=State/L=Locality/O=Organization/OU=OrganizationUnit/CN=AvmarServer.xyz.org/emailAddress=MailID@xyz.org"
4) Create the CSR:
openssl x509 -x509toreq -in /etc/apache2/ssl.crt/server.crt -signkey /etc/apache2/ssl.key/server.key -out /etc/apache2/apache.csr
5) Use the following command to copy file “apache.csr” and change the permission from root to admin
sudo cp /etc/apache2/apache.csr /home/admin/apache.csr && sudo chown admin:admin /home/admin/apache.csr
6) Using WinSCP download the file apache.csr from /home/admin/
7) Submit the apache.csr file to your organization's Certificate Authority team and get the certificate signed (AvmarServer.cer) along with root (rootCA.cer) & intermediate (intermediate.cer)(optional) certificates.
8) Copy the rootCA.cer, intermediate.cer & AvmarServer.cer to /home/admin/ of the Avamar server using WinSCP
9) Navigate to /home/admin/
cd /home/admin/
10) Copy the rootCA.cer to /etc/apache2/ssl.crt/CA.crt
cp rootCA.cer /etc/apache2/ssl.crt/CA.crt
11) Copy the intermediate.cer to /etc/apache2/ssl.crt/
cp intermediate.cer /etc/apache2/ssl.crt
12) Copy the AvmarServer.cer to /etc/apache2/ssl.crt/server.crt
cp AvmarServer.cer /etc/apache2/ssl.crt/server.crt
13) Navigate to /etc/apache2
cd /etc/apache2
14) Verify the certificates
openssl x509 -noout -text -in ssl.crt/CA.crt
openssl x509 -noout -text -in ssl.crt/intermediate.cer
openssl x509 -noout -text -in ssl.crt/server.crt
15) Create .p12 file using server.crt, server.key, CA.crt & intermediate.cer
openssl pkcs12 -export -in /etc/apache2/ssl.crt/server.crt -inkey /etc/apache2/ssl.key/server.key -certfile /etc/apache2/ssl.crt/CA.crt -certfile /etc/apache2/ssl.crt/intermediate.cer -out /etc/apache2/servercert.p12 -name "Server-Cert" -passin pass:foo -passout pass:foo
16) List all the certificates in the certificate database
certutil -L -d mod_nss.d
17) Delete a private key and the associated certificate from a database
certutil -F -n Server-Cert -d mod_nss.d
When prompted, type the password changeme123!
18) List again to make sure it is empty
certutil -L -d mod_nss.d
Note: (optional) if not empty, upgrade the db:
certutil --upgrade-merge -d sql:mod_nss.d --source-dir mod_nss.d --upgrade-id 1
Note: (optional) if -F doesn’t work, try -D
certutil -D -n "Certificate Issuing Authority" -d mod_nss.d
19) Import the *.p12 file to NSS database
pk12util -i /etc/apache2/servercert.p12 -d /etc/apache2/mod_nss.d -W foo
When prompted, type the password changeme123!
20) List all the certificates in a certificate database and verify
certutil -L -d mod_nss.d
# We expect to see Server-Cert, the Root CA, and the intermediate CA.
21) Change the permission of /etc/apache2/mod_nss.d
chown -R wwwrun:www /etc/apache2/mod_nss.d
22) Stop and start the httpd2 service
website stop
website start
