The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This article will give an example on how to get a free SSL certificate and the way to install it on CMX. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Cisco recommends that you have knowledge of these topics:
- A domain name which can be resolved externally
- Basic linux skills
- Basic knowledge of PKI (Public Key Infrastracture)
The information in this document is based on these software and hardware versions:
- CMX 10.5
Web certificate is located in the following folder:
[root@cmxtry ssl]# pwd /opt/haproxy/ssl
Backup the old certificate and key:
[cmxadmin@cmxtry ssl]$cd /opt/haproxy/ssl/ [cmxadmin@cmxtry ssl]$su root Password: (enter root password) [root@cmxtry ssl]# mkdir ./oldcert [root@cmxtry ssl]# mv host.* ./oldcert/ [root@cmxtry ssl]# ls ./oldcert/ host.key host.pem
In case you are not very familiar with Linux, the above commands can be interpreted in the following way:
[cmxadmin@cmxtry ssl]$cd /opt/haproxy/ssl/ [cmxadmin@cmxtry ssl]$su root Password: (enter root password) [root@cmxtry ssl]# mkdir /opt/haproxy/ssl/oldcert [root@cmxtry ssl]# mv host.pem /opt/haproxy/ssl/oldcert/ [root@cmxtry ssl]# mv host.key /opt/haproxy/ssl/oldcert/ [root@cmxtry ssl]# ls /opt/haproxy/ssl/oldcert/ host.key host.pem
Generate a private key:
openssl genrsa -out cmxtry.com.key 2048
[root@cmxtry ssl]# openssl genrsa -out cmxtry.com.key 2048 Generating RSA private key, 2048 bit long modulus ............ ............... e is 65537 (0x10001) [root@cmxtry ssl]# ls cmxtry.com.key oldcert
Generate a CSR (Certificate Sign requests) using the private you key generated in the previous step.
[root@cmxtry ssl]# openssl req -new -sha256 -key cmxtry.com.key -out cmxtry.com.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:BE State or Province Name (full name) [Some-State]: Locality Name (eg, city) []:DIEGEM Organization Name (eg, company) [Internet Widgits Pty Ltd]:CMXTRY Organizational Unit Name (eg, section) []:CMXTRY Common Name (e.g. server FQDN or YOUR name) []:cmxtry.com Email Address []:avitosin@cisco.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:Cisco123 An optional company name []:CMXTRY [root@cmxtry ssl]# ls cmxtry.com.csr cmxtry.com.key oldcert
Display the CSR:
[root@cmxtry ssl]# cat cmxtry.com.csr -----BEGIN CERTIFICATE REQUEST----- MIIDZTCCAk0CAQAwgY0xCzAJBgNVBAYTAkJFMRMwEQYDVQQIDApTb21lLVN0YXRl MQ8wDQYDVQQHDAZESUVHRU0xDzANBgNVBAoMBkNNWFRSWTEPMA0GA1UECwwGQ01Y VFJZMRMwEQYDVQQDDApjbXh0cnkuY29tMSEwHwYJKoZIhvcNAQkBFhJhdml0b3Np bkBjaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkEIg0 AxV/3HxAxUu7UI/LxkTP+DZJvvuua1WgyQ+tlD4r1+k1Wv1eINCJqywglCKt9vVg aiYp4JAKL28TV7rtSKqNFnWDMtTKoYRkYWI3L48r9Mu9Tt3zDCG09ygnQFi6SnmX VmKx7Ct/wIkkBXfkq1nq4vqosCry8SToS1PThX/KSuwIF6w2aKj1Fbrw3eW4XJxc 5hoQFrSsquqmbi5IZWgH/zMZUZTdWYvFc/h50PCBJsAa9HTY0sgUe/nyjHdt+V/l alNSh41jsrulhWiPzqbaPW/Fej9/5gtPG5LReWuS20ulAnso4tdcST1vVletoXJw F58S8AqeVrcOV9SnAgMBAAGggZEwFQYJKoZIhvcNAQkCMQgMBkNNWFRSWTAXBgkq hkiG9w0BCQcxCgwIQ2lzY28xMjMwXwYJKoZIhvcNAQkOMVIwUDAJBgNVHRMEAjAA MBcGA1UdEQQQMA6CDF9fSE9TVE5BTUVfXzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI KwYBBQUHAwIwCwYDVR0PBAQDAgOoMA0GCSqGSIb3DQEBCwUAA4IBAQCBslfRzbiw WBBBN74aWm6YwkO0YexpR2yCrQhcOsxWTujPVvzNP9WaDNxu1rw6o3iZclGi6D61 qFsKtchQhnclvOj7rNI8TInaxIorR2zMy0lF2vtJmvY4YQFso9qzmuaxkmttEMFU Fj0bxKh6SpvxePh6+BDcwt+kQExK5aF3Q6cRIMyKBS2+I5J5eddJ0cdIqTfwZOGD 5dMDWqHGd7IZyrend8AMPZvNKm3Sbx11Uq+A/fa7f9JZE0O2Q9h3sl3hj3QIPU6s w1Pyd66/OX04yYIvMyjJ8xpJGigNWBOvQ+GLvK0ce441h2u2oIoPe60sDOYldL+X JsnSbefiJ4Fe -----END CERTIFICATE REQUEST-----
Copy the CSR (include the beginning of certificate request line and end of certificate request line).
In case of my lab, I was using the free certificate from Comodo (https://www.instantssl.com/)

You paste the CSR in the window and select RedHat as software used to generate the CSR:
You have to validate the domain using either an e-mail address or other ways to validate the domain, such as DNS CNAME entry.
When you did complete the process of validation, you will be able to download a certificate from here:
When you download the certificate, you have to upload it to CMX box:
[ avitosin > ~/Desktop/cmxtry_com ] ls cmxtry_com.ca-bundle cmxtry_com.crt [ avitosin > ~/Desktop/cmxtry_com ] scp ./* cmxadmin@cmxtry.com:/home/cmxadmin Warning: the ECDSA host key for 'cmxtry.com' differs from the key for the IP address '64.103.12.134' Offending key for IP in /Users/avitosin/.ssh/known_hosts:8 Matching host key in /Users/avitosin/.ssh/known_hosts:10 Are you sure you want to continue connecting (yes/no)? yes cmxadmin@cmxtry.com's password: /etc/profile.d/lang.sh: line 19: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory cmxtry_com.ca-bundle 100% 4103 4.0KB/s 00:00 cmxtry_com.crt 100% 2236 2.2KB/s 00:00 [ avitosin > ~/Desktop/cmxtry_com ]
Verify that the certificate was successfully copied to CMX:
[root@cmxtry ssl]# cd /home/cmxadmin/ [root@cmxtry cmxadmin]# ls cmxtry_com.ca-bundle cmxtry_com.crt [root@cmxtry cmxadmin]#
Public certificate:
[root@cmxtry cmxadmin]# cat cmxtry_com.crt -----BEGIN CERTIFICATE----- MIIGRzCCBS+gAwIBAgIRALKbdelOe0O7sSYMBFBhFPwwDQYJKoZIhvcNAQELBQAw gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTYwNAYD VQQDEy1DT01PRE8gUlNBIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIg Q0EwHhcNMTgwODA4MDAwMDAwWhcNMTgxMTA2MjM1OTU5WjBLMSEwHwYDVQQLExhE b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxETAPBgNVBAsTCEZyZWUgU1NMMRMwEQYD VQQDEwpjbXh0cnkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA oVRQ9cBGBNbcIIiVovDXUw0TRXjrCplro9bx22kGAnJPNenymETTdJ4m+7Rs19BI ob09Wqo4CKWCxgdViJWQDohfGbElvdELcOD7+HgZroYHoY24wzU+q2WCFW9z3Dca RZMJagjsXPZ5XhACvlKb+lNoYTgTkf0xVAnNphTGgtOGNaQ/PHqX9ITC4iwTmFWD UEZR/SIwb5MjIQZsMGi5cW7q4STKrydFVDXmJzNySK2hq9s9yc8cBN2Lp2HJsaA4 qtQb1KWOLnzVxUaAMVN+sObVvYV/sOmJLtFvKKU9Pg2cuSo2LhPBVtTpdbHkSDuz NlWHhYC9Uxu2+wwvTwGjQQIDAQABo4IC3jCCAtowHwYDVR0jBBgwFoAUkK9qOpRa C9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFPvwN4lSs4oKd5AaG+j6xhDEtfL7MA4G A1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUH AgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBUBgNV HR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FE b21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEFBQcBAQR5 MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JT QURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGG GGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAlBgNVHREEHjAcggpjbXh0cnkuY29t gg53d3cuY214dHJ5LmNvbTCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AO5Lvbd1 zmC64UJpH6vhnmajD35fsHLYgwDEe4l6qP3LAAABZRmIfAUAAAQDAEYwRAIgdU0n octPP7c7dR3MSMq2NQDA1rgP1hSGtB4qkectDp4CIBHBdS9cuu6Pwjb9OAHtKIDh BGFm51btA2NflzDLKmpVAHYA23Sv7ssp7LH+yj5xbSzluaq7NveEcYPHXZ1PN7Yf v2QAAAFlGYh7cwAABAMARzBFAiBDUjKNvINiwH1hgA+4Oipjhv7oGxLEsDiz+e7j /oa3qQIhAKoTXC41fbcAZSH3zWE/LBYthUkA4qaP3Q2en7QanEv7MA0GCSqGSIb3 DQEBCwUAA4IBAQAwoZfOdE1QuzJqssnAWxoI2uTc9R15clVq3X7qiYLv3ItijFUL stuKQXf7VqYqKHcjX8Ue5TMfcJYNlRc5Knj3r6fusLuaO33W++g3TDnQuN/CT5Y4 nrgor7UsquZHGoY6RHh2ZDA53Ep80YtsO36eLN8qkDB/OvxqJmYj9URTLfWRqfhh sGE1odIjW4lbSka+CR09DlBkhzOTqDCnWcKicn/kSfJexKVs0LRrNXfvUEdbPohl plPeiyKMXUtV2Q67UwiYpC9JzkG8a09q5JdUL4Le/xn0gvz4jq+2rtHnNctg6ShD laqU7wA5HRag2zJsIK/d2Agymk8u3AypzW4T -----END CERTIFICATE-----
Chain of trust:
[root@cmxtry cmxadmin]# cat cmxtry_com.ca-bundle -----BEGIN CERTIFICATE----- MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0 Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6 ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51 UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz 30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/ e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc 2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4 HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII 0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf +AZxAeKCINT+b72x -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD VQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkq hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkehUktIKVrGsDSTdxc9EZ3SZKzejfSNw AHG8U9/E+ioSj0t/EFa9n3Byt2F/yUsPF6c947AEYe7/EZfH9IY+Cvo+XPmT5jR6 2RRr55yzhaCCenavcZDX7P0N+pxs+t+wgvQUfvm+xKYvT3+Zf7X8Z0NyvQwA1onr ayzT7Y+YHBSrfuXjbvzYqOSSJNpDa2K4Vf3qwbxstovzDo2a5JtsaZn4eEgwRdWt 4Q08RWD8MpZRJ7xnw8outmvqRsfHIKCxH2XeSAi6pE6p8oNGN4Tr6MyBSENnTnIq m1y9TBsoilwie7SrmNnu4FGDwwlGTm0+mfqVF9p8M1dBPI1R7Qu2XK8sYxrfV8g/ vOldxJuvRZnio1oktLqpVj3Pb6r/SVi+8Kj/9Lit6Tf7urj0Czr56ENCHonYhMsT 8dm74YlguIwoVqwUHZwK53Hrzw7dPamWoUi9PPevtQ0iTMARgexWO/bTouJbt7IE IlKVgJNp6I5MZfGRAy1wdALqi2cVKWlSArvX31BqVUa/oKMoYX9w0MOiqiwhqkfO KJwGRXa/ghgntNWutMtQ5mv0TIZxMOmm3xaG4Nj/QN370EKIf6MzOi5cHkERgWPO GHFrK+ymircxXDpqR+DDeVnWIBqv8mqYqnK8V0rSS527EPywTEHl7R09XiidnMy/ s1Hap0flhFMCAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g JMtUGjAdBgNVHQ4EFgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQD AgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9 MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVy bmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6 Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAGS/g/FfmoXQ zbihKVcN6Fr30ek+8nYEbvFScLsePP9NDXRqzIGCJdPDoCpdTPW6i6FtxFQJdcfj Jw5dhHk3QBN39bSsHNA7qxcS1u80GH4r6XnTq1dFDK8o+tDb5VCViLvfhVdpfZLY Uspzgb8c8+a4bmYRBbMelC1/kZWSWfFMzqORcUx8Rww7Cxn2obFshj5cqsQugsv5 B5a6SE2Q8pTIqXOi6wZ7I53eovNNVZ96YUWYGGjHXkBrI/V5eu+MtWuLt29G9Hvx PUsE2JOAWVrgQSQdso8VYFhH2+9uRv0V9dlfmrPb2LjkQLPNlzmuhbsdjrzch5vR pu/xO28QOG8= -----END CERTIFICATE-----
Alternative way to take a look inside the certificate:
CHAIN OF TRUST:
[root@cmxtry cmxadmin]# openssl x509 -in cmxtry_com.ca-bundle -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 2b:2e:6e:ea:d9:75:36:6c:14:8a:6e:db:a3:7c:8c:07 Signature Algorithm: sha384WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority Validity Not Before: Feb 12 00:00:00 2014 GMT Not After : Feb 11 23:59:59 2029 GMT Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:8e:c2:02:19:e1:a0:59:a4:eb:38:35:8d:2c:fd: 01:d0:d3:49:c0:64:c7:0b:62:05:45:16:3a:a8:a0: c0:0c:02:7f:1d:cc:db:c4:a1:6d:77:03:a3:0f:86: f9:e3:06:9c:3e:0b:81:8a:9b:49:1b:ad:03:be:fa: 4b:db:8c:20:ed:d5:ce:5e:65:8e:3e:0d:af:4c:c2: b0:b7:45:5e:52:2f:34:de:48:24:64:b4:41:ae:00: 97:f7:be:67:de:9e:d0:7a:a7:53:80:3b:7c:ad:f5: 96:55:6f:97:47:0a:7c:85:8b:22:97:8d:b3:84:e0: 96:57:d0:70:18:60:96:8f:ee:2d:07:93:9d:a1:ba: ca:d1:cd:7b:e9:c4:2a:9a:28:21:91:4d:6f:92:4f: 25:a5:f2:7a:35:dd:26:dc:46:a5:d0:ac:59:35:8c: ff:4e:91:43:50:3f:59:93:1e:6c:51:21:ee:58:14: ab:fe:75:50:78:3e:4c:b0:1c:86:13:fa:6b:98:bc: e0:3b:94:1e:85:52:dc:03:93:24:18:6e:cb:27:51: 45:e6:70:de:25:43:a4:0d:e1:4a:a5:ed:b6:7e:c8: cd:6d:ee:2e:1d:27:73:5d:dc:45:30:80:aa:e3:b2: 41:0b:af:bd:44:87:da:b9:e5:1b:9d:7f:ae:e5:85: 82:a5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:BB:AF:7E:02:3D:FA:A6:F1:3C:84:8E:AD:EE:38:98:EC:D9:32:32:D4 X509v3 Subject Key Identifier: 90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: X509v3 Any Policy Policy: 2.23.140.1.2.1 X509v3 CRL Distribution Points: Full Name: URI:http://crl.comodoca.com/COMODORSACertificationAuthority.crl Authority Information Access: CA Issuers - URI:http://crt.comodoca.com/COMODORSAAddTrustCA.crt OCSP - URI:http://ocsp.comodoca.com Signature Algorithm: sha384WithRSAEncryption 4e:2b:76:4f:92:1c:62:36:89:ba:77:c1:27:05:f4:1c:d6:44: 9d:a9:9a:3e:aa:d5:66:66:01:3e:ea:49:e6:a2:35:bc:fa:f6: dd:95:8e:99:35:98:0e:36:18:75:b1:dd:dd:50:72:7c:ae:dc: 77:88:ce:0f:f7:90:20:ca:a3:67:2e:1f:56:7f:7b:e1:44:ea: 42:95:c4:5d:0d:01:50:46:15:f2:81:89:59:6c:8a:dd:8c:f1: 12:a1:8d:3a:42:8a:98:f8:4b:34:7b:27:3b:08:b4:6f:24:3b: 72:9d:63:74:58:3c:1a:6c:3f:4f:c7:11:9a:c8:a8:f5:b5:37: ef:10:45:c6:6c:d9:e0:5e:95:26:b3:eb:ad:a3:b9:ee:7f:0c: 9a:66:35:73:32:60:4e:e5:dd:8a:61:2c:6e:52:11:77:68:96: d3:18:75:51:15:00:1b:74:88:dd:e1:c7:38:04:43:28:e9:16: fd:d9:05:d4:5d:47:27:60:d6:fb:38:3b:6c:72:a2:94:f8:42: 1a:df:ed:6f:06:8c:45:c2:06:00:aa:e4:e8:dc:d9:b5:e1:73: 78:ec:f6:23:dc:d1:dd:6c:8e:1a:8f:a5:ea:54:7c:96:b7:c3: fe:55:8e:8d:49:5e:fc:64:bb:cf:3e:bd:96:eb:69:cd:bf:e0: 48:f1:62:82:10:e5:0c:46:57:f2:33:da:d0:c8:63:ed:c6:1f: 94:05:96:4a:1a:91:d1:f7:eb:cf:8f:52:ae:0d:08:d9:3e:a8: a0:51:e9:c1:87:74:d5:c9:f7:74:ab:2e:53:fb:bb:7a:fb:97: e2:f8:1f:26:8f:b3:d2:a0:e0:37:5b:28:3b:31:e5:0e:57:2d: 5a:b8:ad:79:ac:5e:20:66:1a:a5:b9:a6:b5:39:c1:f5:98:43: ff:ee:f9:a7:a7:fd:ee:ca:24:3d:80:16:c4:17:8f:8a:c1:60: a1:0c:ae:5b:43:47:91:4b:d5:9a:17:5f:f9:d4:87:c1:c2:8c: b7:e7:e2:0f:30:19:37:86:ac:e0:dc:42:03:e6:94:a8:9d:ae: fd:0f:24:51:94:ce:92:08:d1:fc:50:f0:03:40:7b:88:59:ed: 0e:dd:ac:d2:77:82:34:dc:06:95:02:d8:90:f9:2d:ea:37:d5: 1a:60:d0:67:20:d7:d8:42:0b:45:af:82:68:de:dd:66:24:37: 90:29:94:19:46:19:25:b8:80:d7:cb:d4:86:28:6a:44:70:26: 23:62:a9:9f:86:6f:bf:ba:90:70:d2:56:77:85:78:ef:ea:25: a9:17:ce:50:72:8c:00:3a:aa:e3:db:63:34:9f:f8:06:71:01: e2:82:20:d4:fe:6f:bd:b1 [root@cmxtry cmxadmin]#
PUBLIC CERTIFICATE:
[root@cmxtry cmxadmin]# openssl x509 -in cmxtry_com.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: b2:9b:75:e9:4e:7b:43:bb:b1:26:0c:04:50:61:14:fc Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA Validity Not Before: Aug 8 00:00:00 2018 GMT Not After : Nov 6 23:59:59 2018 GMT Subject: OU=Domain Control Validated, OU=Free SSL, CN=cmxtry.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a1:54:50:f5:c0:46:04:d6:dc:20:88:95:a2:f0: d7:53:0d:13:45:78:eb:0a:99:6b:a3:d6:f1:db:69: 06:02:72:4f:35:e9:f2:98:44:d3:74:9e:26:fb:b4: 6c:d7:d0:48:a1:bd:3d:5a:aa:38:08:a5:82:c6:07: 55:88:95:90:0e:88:5f:19:b1:25:bd:d1:0b:70:e0: fb:f8:78:19:ae:86:07:a1:8d:b8:c3:35:3e:ab:65: 82:15:6f:73:dc:37:1a:45:93:09:6a:08:ec:5c:f6: 79:5e:10:02:be:52:9b:fa:53:68:61:38:13:91:fd: 31:54:09:cd:a6:14:c6:82:d3:86:35:a4:3f:3c:7a: 97:f4:84:c2:e2:2c:13:98:55:83:50:46:51:fd:22: 30:6f:93:23:21:06:6c:30:68:b9:71:6e:ea:e1:24: ca:af:27:45:54:35:e6:27:33:72:48:ad:a1:ab:db: 3d:c9:cf:1c:04:dd:8b:a7:61:c9:b1:a0:38:aa:d4: 1b:d4:a5:8e:2e:7c:d5:c5:46:80:31:53:7e:b0:e6: d5:bd:85:7f:b0:e9:89:2e:d1:6f:28:a5:3d:3e:0d: 9c:b9:2a:36:2e:13:c1:56:d4:e9:75:b1:e4:48:3b: b3:36:55:87:85:80:bd:53:1b:b6:fb:0c:2f:4f:01: a3:41 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7 X509v3 Subject Key Identifier: FB:F0:37:89:52:B3:8A:0A:77:90:1A:1B:E8:FA:C6:10:C4:B5:F2:FB X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.2.7 CPS: https://secure.comodo.com/CPS Policy: 2.23.140.1.2.1 X509v3 CRL Distribution Points: Full Name: URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl Authority Information Access: CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt OCSP - URI:http://ocsp.comodoca.com X509v3 Subject Alternative Name: DNS:cmxtry.com, DNS:www.cmxtry.com CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1(0) Log ID : EE:4B:BD:B7:75:CE:60:BA:E1:42:69:1F:AB:E1:9E:66: A3:0F:7E:5F:B0:72:D8:83:00:C4:7B:89:7A:A8:FD:CB Timestamp : Aug 8 12:34:59.717 2018 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:75:4D:27:A1:CB:4F:3F:B7:3B:75:1D:CC: 48:CA:B6:35:00:C0:D6:B8:0F:D6:14:86:B4:1E:2A:91: E7:2D:0E:9E:02:20:11:C1:75:2F:5C:BA:EE:8F:C2:36: FD:38:01:ED:28:80:E1:04:61:66:E7:56:ED:03:63:5F: 97:30:CB:2A:6A:55 Signed Certificate Timestamp: Version : v1(0) Log ID : DB:74:AF:EE:CB:29:EC:B1:FE:CA:3E:71:6D:2C:E5:B9: AA:BB:36:F7:84:71:83:C7:5D:9D:4F:37:B6:1F:BF:64 Timestamp : Aug 8 12:34:59.571 2018 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:43:52:32:8D:BC:83:62:C0:7D:61:80:0F: B8:3A:2A:63:86:FE:E8:1B:12:C4:B0:38:B3:F9:EE:E3: FE:86:B7:A9:02:21:00:AA:13:5C:2E:35:7D:B7:00:65: 21:F7:CD:61:3F:2C:16:2D:85:49:00:E2:A6:8F:DD:0D: 9E:9F:B4:1A:9C:4B:FB Signature Algorithm: sha256WithRSAEncryption 30:a1:97:ce:74:4d:50:bb:32:6a:b2:c9:c0:5b:1a:08:da:e4: dc:f5:1d:79:72:55:6a:dd:7e:ea:89:82:ef:dc:8b:62:8c:55: 0b:b2:db:8a:41:77:fb:56:a6:2a:28:77:23:5f:c5:1e:e5:33: 1f:70:96:0d:95:17:39:2a:78:f7:af:a7:ee:b0:bb:9a:3b:7d: d6:fb:e8:37:4c:39:d0:b8:df:c2:4f:96:38:9e:b8:28:af:b5: 2c:aa:e6:47:1a:86:3a:44:78:76:64:30:39:dc:4a:7c:d1:8b: 6c:3b:7e:9e:2c:df:2a:90:30:7f:3a:fc:6a:26:66:23:f5:44: 53:2d:f5:91:a9:f8:61:b0:61:35:a1:d2:23:5b:89:5b:4a:46: be:09:1d:3d:0e:50:64:87:33:93:a8:30:a7:59:c2:a2:72:7f: e4:49:f2:5e:c4:a5:6c:d0:b4:6b:35:77:ef:50:47:5b:3e:88: 65:a6:53:de:8b:22:8c:5d:4b:55:d9:0e:bb:53:08:98:a4:2f: 49:ce:41:bc:6b:4f:6a:e4:97:54:2f:82:de:ff:19:f4:82:fc: f8:8e:af:b6:ae:d1:e7:35:cb:60:e9:28:43:95:aa:94:ef:00: 39:1d:16:a0:db:32:6c:20:af:dd:d8:08:32:9a:4f:2e:dc:0c: a9:cd:6e:13 [root@cmxtry cmxadmin]#
CMX requires the certificate in the following format:
+++PRIVATE KEY+++
+++PUBLIC CERTIFICATE+++
+++CHAIN OF TRUST CERTIFICATE+++
The Private Key - your_domain_name.key
The Primary Certificate - your_domain_name.crt
The Intermediate Certificate - issuer-certificate.crt
The Root Certificate - TrustedRoot.crt
Basically we have the following situation:
cmxtry.com.key contains the Private Key cmxtry_com.crt contains the Primary Certificate cmxtry_com.ca-bundle - the Intermediate Certificate and the Root Certificate
All of those have to be concatenated together to form .PEM certificate:
[root@cmxtry cmxadmin]# cat cmxtry.com.key cmxtry_com.crt cmxtry_com.ca-bundle > cmxtry_com.pem
Next step will be changing the ownership of the certificate:
[root@cmxtry cmxadmin]#chown cmx:cmx /opt/haproxy/ssl/cmxtry_com.pem [root@cmxtry cmxadmin]#chmod 744 /opt/haproxy/ssl/cmxtry_com.pem
When this is done, you can rename the certificate to host.pem (considering the backup of the certificate was done beforehand):
[root@cmxtry cmxadmin]#mv ./cmxtry_com.pem ./host.pem
Now enabling the sslmode:
[root@cmxtry ssl]# cmxctl node sslmode enable Enabling SSL SSL enabled Restarting Haproxy Verified SSL by restarting Haproxy. [root@cmxtry ssl]#
If you do not see the COMODO (other vendor) certificate in the CMX GUI after enabling the SSL using the above command, try rebooting the CMX device.