How to implement SSL on Resin 4.0.8
Pre-installation notes
The guide bellow is based on the previous guide Hardening guide for Resin Professional 4.0.8 on RHEL 5.4
- Login to the server using Root account.
- Change permissions on the keys folder:
chmod 640 /usr/local/resin/keys
- Run the command bellow to generate a key pair:
/usr/bin/openssl genrsa -des3 -out /usr/local/resin/keys/server.key 1024
Specify a complex pass phrase for the private key (and document it) - Run the command bellow to generate the CSR:
/usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/resin/keys/server.key -out /tmp/resin.csr
Note: The command above should be written as one line. - Send the file /tmp/resin.csr to a Certificate Authority server.
- As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as “server.crt“
- Copy the file “server.crt” using SCP into /usr/local/resin/keys/
- Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).
- Copy the file “ca-bundle.crt” using SCP into /usr/local/resin/keys/
- Edit using VI, the file /usr/local/resin/conf/resin.xml and replace the section bellow from:
To:< !-- SSL port configuration: -->
< http address="*" port="8443">
< jsse-ssl self-signed-certificate-name="resin@localhost"/>
< /http>
Note: Replace “my-password” with the password for the “server.key” file.< http address="Server_DNS_Name" port="443">
< openssl>
< certificate-key-file> /usr/local/resin/keys/server.key< /certificate-key-file>
< certificate-file> /usr/local/resin/keys/server.crt< /certificate-file>
< certificate-chain-file> /usr/local/resin/keys/ca-bundle.crt< /certificate-chain-file>
< password> my-password< /password>
< /openssl>
< /http>
- Restart the Resin services:
/etc/init.d/resin restart
- Backup the file
/usr/local/resin/keys/server.key