Setup Secure SSL using self-signed certificates

Is anyone able to provide some clear instructions on how to generate and install a self signed certificate with Aperture?

I have tried to do it myself but Aperture is still throwing the following error:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Best Answers

  • Sean LeoszkoSean Leoszko Experian Contributor
    Accepted Answer

    Thanks Henry, I was after the third option. This was just for my personal instance of Aperture so I wanted to be able to have a secure HTTPS connection of Aperture.

    I figured out how to do this, the steps below worked for me:

    1. Open up Powershell in administration mode
    2. Run the following command to generate a private key: "openssl genrsa -des3 -out myCA.key 2048"
    3. Run the following command to generate a root certificate: "openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem"
    4. Run the following command to generate a private key: "openssl genrsa -out <machine name>.key 2048"
    5. Run the following command to create a certificate signing request (CSR): "openssl req -new -key <machine name>.key -out <machine name>.csr"
    6. In Notepad create the following file and name it <machine name>.ext

    authorityKeyIdentifier=keyid,issuer

    basicConstraints=CA:FALSE

    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

    subjectAltName = @alt_names

    [alt_names]

    DNS.1 = <machine name> # Be sure to include the domain name here because Common Name is not so commonly honoured by itself

    DNS.2 = aperturev2.local # Optionally, add additional domains (I've added a subdomain here)

    IP.1 = <local IP address> # Optionally, add an IP address (if the connection which you have planned requires it)

    7. Run the following command to create a signed certificate: "openssl x509 -req -in <machine name>.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out <machine name>.crt -days 825 -sha256 -extfile <machine name>.ext"

    8. In the start menu, search certificate and click "Manage computer certificate"


    9. Drill down into Personal, right click the Certificates folder, navigate to All Tasks>Import

    10. Import both the .crt and .pem files into this directory

    11. Highlight both certificates (They should be under the Machine name), right-click and select Copy

    12. Paste them into the Trusted Root Certificate directory

    13. Install the crt certificate into Aperture using the standard SSL steps (https://docs.experianaperture.io/data-quality/aperture-data-studio-v2/set-up/install-data-studio-on-windows/#change-the-port-number-and-apply-an-ssl-certificate).

    14. Restart Aperture and close down Chrome

    15.Open with a secure connection:


Answers

  • Sean LeoszkoSean Leoszko Experian Contributor

    To add more information for the question. I understand the steps on how to install a certificate are included here (https://docs.experianaperture.io/data-quality/aperture-data-studio-v2/set-up/install-data-studio-on-windows/#change-the-port-number-and-apply-an-ssl-certificate). I am after steps on how do you generate a self signed certificate that will work with these instructions and secure the connection. At the moment, I am getting errors and its not secure.

  • Henry SimmsHenry Simms Administrator
    That's great @"Sean Leoszko" , thanks for adding the steps. Just as a reminder for others, this is good for a demo or test set-up, but typically certificates will be signed by a trusted CA (or intermediate CA with a trusted CA cert at the root of the chain), or a private CA cert already used by an organization.

    If the certificate is only going to be used for Data Studio in Chrome, I'd also recommend only importing the myCA.pem as an Authority in your Chrome settings (Settings > Manage certificates > Authorities > Import), rather than the system's Trusted Root Certificate directory.
Sign In or Register to comment.