Setup Secure SSL using self-signed certificates

Sean Leoszko

Is anyone able to provide some clear instructions on how to generate and install a self signed certificate with Aperture?

I have tried to do it myself but Aperture is still throwing the following error:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Henry Simms

Hi @Sean Leoszko , can you say a bit more about the type of certificate you want to generate, and how you want to use it.

To explain the differences it's useful to understand the purpose of SSL certificates:

1. To encrypt sensitive information sent across the network between the client (e.g. browser) and the server.
2. To provide authentication. Specifically, to identify your server and protect your clients from things like man-in-the-middle attacks.

There are three types of certificate you might use:

Data Studio comes with its own self-signed certificate, which is what's used when you select "use SSL" from the server settings. You'll usually change the port to 443 as well. A self-signed certificate is not signed by any certificate authority (CA), and certificates like this will provide encryption but not authentication (or rather it places the burden of verifying trust on the user explicitly). You'll see a "your connection is not private" warning in your browser telling you that the connection is not safe. If you generate your own self-signed certificate it will behave in the same way.

You could also request and apply a certificate signed by a trusted certificate authority (CA) to both enable encryption of client-server communications and identify your server to clients. If you want your Data Studio instance to be available to the general public via the internet, you'd want to use a certificate from a public CA to initiate secure and “trusted” communication.

You may actually want something in between: a certificate issued by a private (internal) CA. A private CA is typically enterprise-specific and used for internal servers on a private network. These certificates are not publicly trusted. In this scenario, in order to achieve trust (authentication) an organization would generate a root certificate and then configure all clients (e.g. Chrome) to trust certificates signed by that root by installing it as a trusted root certificate authority.

The 3rd option, using a private CA, is the most common way Experian's clients secure Data Studio, and also the Find duplicates server. In this case, the client's IT team would typically provide the certificate, either as separate public certificate and private key files, or in a combined format like PKCS12.

Sean Leoszko

Thanks Henry, I was after the third option. This was just for my personal instance of Aperture so I wanted to be able to have a secure HTTPS connection of Aperture.

I figured out how to do this, the steps below worked for me:

1. Open up Powershell in administration mode
2. Run the following command to generate a private key: "openssl genrsa -des3 -out myCA.key 2048"
3. Run the following command to generate a root certificate: "openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem"
4. Run the following command to generate a private key: "openssl genrsa -out <machine name>.key 2048"
5. Run the following command to create a certificate signing request (CSR): "openssl req -new -key <machine name>.key -out <machine name>.csr"
6. In Notepad create the following file and name it <machine name>.ext

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

subjectAltName = @alt_names

[alt_names]

DNS.1 = <machine name> # Be sure to include the domain name here because Common Name is not so commonly honoured by itself

DNS.2 = aperturev2.local # Optionally, add additional domains (I've added a subdomain here)

IP.1 = <local IP address> # Optionally, add an IP address (if the connection which you have planned requires it)

7. Run the following command to create a signed certificate: "openssl x509 -req -in <machine name>.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out <machine name>.crt -days 825 -sha256 -extfile <machine name>.ext"

8. In the start menu, search certificate and click "Manage computer certificate"

9. Drill down into Personal, right click the Certificates folder, navigate to All Tasks>Import

10. Import both the .crt and .pem files into this directory

11. Highlight both certificates (They should be under the Machine name), right-click and select Copy

12. Paste them into the Trusted Root Certificate directory

13. Install the crt certificate into Aperture using the standard SSL steps (https://docs.experianaperture.io/data-quality/aperture-data-studio-v2/set-up/install-data-studio-on-windows/#change-the-port-number-and-apply-an-ssl-certificate).

14. Restart Aperture and close down Chrome

15.Open with a secure connection:

Sean Leoszko

To add more information for the question. I understand the steps on how to install a certificate are included here (https://docs.experianaperture.io/data-quality/aperture-data-studio-v2/set-up/install-data-studio-on-windows/#change-the-port-number-and-apply-an-ssl-certificate). I am after steps on how do you generate a self signed certificate that will work with these instructions and secure the connection. At the moment, I am getting errors and its not secure.

Henry Simms

That's great @"Sean Leoszko" , thanks for adding the steps. Just as a reminder for others, this is good for a demo or test set-up, but typically certificates will be signed by a trusted CA (or intermediate CA with a trusted CA cert at the root of the chain), or a private CA cert already used by an organization.

If the certificate is only going to be used for Data Studio in Chrome, I'd also recommend only importing the myCA.pem as an Authority in your Chrome settings (Settings > Manage certificates > Authorities > Import), rather than the system's Trusted Root Certificate directory.