Monday, January 4, 2021

Install custom signed certificate on Avamar

Install custom signed certificate on Avamar

1) SSH to the Avamar Server

2) Backup the existing certificate file

cp /etc/apache2/ssl.crt/server.crt /etc/apache2/ssl.crt/server.crt.bak

cp /etc/apache2/ssl.key/server.key /etc/apache2/ssl.key/server.key.bak


cp /etc/apache2/ssl.crt/CA.crt /etc/apache2/ssl.crt/CA.crt.bak

cp /etc/apache2/ssl.crt/intermediate.cer /etc/apache2/ssl.crt/intermediate.cer.bak

cp /etc/apache2/servercert.p12 /etc/apache2/servercert.p12.bak

3) Regenerate the security certificate and keys:

openssl req -x509 -new -newkey rsa:3072 -nodes -keyout /etc/apache2/ssl.key/server.key -sha512 -out /etc/apache2/ssl.crt/server.crt -days 1825 -subj "/C=Country/ST=State/L=Locality/O=Organization/OU=OrganizationUnit/"

4) Create the CSR: 

openssl x509 -x509toreq -in /etc/apache2/ssl.crt/server.crt -signkey /etc/apache2/ssl.key/server.key -out /etc/apache2/apache.csr

5) Use the following command to copy file “apache.csr” and change the permission from root to admin

sudo cp /etc/apache2/apache.csr /home/admin/apache.csr && sudo chown admin:admin /home/admin/apache.csr

6) Using WinSCP download the file apache.csr from /home/admin/

7) Submit the apache.csr file to your organization's Certificate Authority team and get the certificate signed (AvmarServer.cer) along with root (rootCA.cer) & intermediate (intermediate.cer)(optional) certificates.

8) Copy the rootCA.cer, intermediate.cer & AvmarServer.cer to /home/admin/ of the Avamar server using WinSCP

9) Navigate to /home/admin/

cd /home/admin/

10) Copy the rootCA.cer to /etc/apache2/ssl.crt/CA.crt

cp rootCA.cer /etc/apache2/ssl.crt/CA.crt

11) Copy the intermediate.cer to /etc/apache2/ssl.crt/

cp intermediate.cer /etc/apache2/ssl.crt

12) Copy the AvmarServer.cer to /etc/apache2/ssl.crt/server.crt

cp AvmarServer.cer /etc/apache2/ssl.crt/server.crt

13) Navigate to /etc/apache2

cd /etc/apache2

14) Verify the certificates

openssl x509 -noout -text -in ssl.crt/CA.crt

openssl x509 -noout -text -in ssl.crt/intermediate.cer

openssl x509 -noout -text -in ssl.crt/server.crt

15) Create .p12 file using server.crt, server.key, CA.crt & intermediate.cer

openssl pkcs12 -export -in /etc/apache2/ssl.crt/server.crt -inkey /etc/apache2/ssl.key/server.key -certfile /etc/apache2/ssl.crt/CA.crt -certfile /etc/apache2/ssl.crt/intermediate.cer -out /etc/apache2/servercert.p12 -name "Server-Cert" -passin pass:foo -passout pass:foo

16) List all the certificates in the certificate database

certutil -L -d mod_nss.d

17) Delete a private key and the associated certificate from a database

certutil -F -n Server-Cert -d mod_nss.d

When prompted, type the password changeme123!

18) List again to make sure it is empty

certutil -L -d mod_nss.d

Note: (optional) if not empty, upgrade the db:

certutil --upgrade-merge -d sql:mod_nss.d --source-dir mod_nss.d --upgrade-id 1

Note: (optional) if -F doesn’t work, try -D

certutil -D -n "Certificate Issuing Authority" -d mod_nss.d

19) Import the *.p12 file to NSS database

pk12util -i /etc/apache2/servercert.p12 -d /etc/apache2/mod_nss.d -W foo

When prompted, type the password changeme123!

20) List all the certificates in a certificate database and verify

certutil -L -d mod_nss.d

# We expect to see Server-Cert, the Root CA, and the intermediate CA.

21) Change the permission of /etc/apache2/mod_nss.d

chown -R wwwrun:www /etc/apache2/mod_nss.d

22) Stop and start the httpd2 service

website stop

website start

No comments:

Post a Comment