How to Use Self-Signed Certificates with HVR 6
Question
How to use Self-Signed Certificates with HVR 6
Environment
HVR 6
Answer
Self-signed certificates allow you to establish secure connections within a private network without relying on public Certificate Authorities (CAs). For HVR 6, self-signed certificates provide a practical way to secure data transfers over the network, ensuring encrypted communication between systems without the need for external validation.
This guide outlines the steps to set up self-signed certificates for HVR 6. This includes creating a CA, generating self-signed certificates for the HVR Hub Server, and installing the root certificate on your machines.
Generate the CA and Hub Server Certificates
To generate the CA and Hub Server self-signed certificates, you can follow either of the two methods below - a step-by-step manual process or an automated bash script for faster setup.
Manual Steps
Perform the following steps to generate the CA and Hub Server self-signed certificates:
Create a directory (e.g., /etc/ssl) for certificates:
sudo mkdir -p /etc/ssl cd /etc/sslAll files generated in the following steps will be saved in this directory.
Create the Certificate Authority (CA):
Generate the CA’s private key (e.g., hvr6.key):
openssl genrsa -des3 -out hvr6.key 2048When prompted, enter a password. Securely save this password, as you will need it to sign future certificates.
Generate the CA’s public certificate (e.g., hvr6.pem), valid for 1825 days:
openssl req -x509 -new -nodes -key hvr6.key -sha256 -days 1825 -out hvr6.pemWhen prompted, enter the following details for the certificate:
- Country Name (2-letter code, e.g., US)
- State or Province Name (full name, e.g., California)
- Locality Name (city, e.g., Oakland)
- Organization Name (e.g., MyCompany)
- Common Name (e.g., hubserver)
- Email Address (e.g., admin@yourcompany.com)
The above commands create the following CA files in your /etc/ssl directory:
- hvr6.key
- hvr6.pem
Generate the certificates for the HVR Hub Server:
Generate the Hub Server’s private key (e.g., hvrhubserver.priv_key):
openssl genrsa -out hvrhubserver.priv_key 2048Generate a Certificate Signing Request (CSR) for the HVR Hub Server using the private key:
openssl req -new -key hvrhubserver.priv_key -out hvrhubserver.csrWhen prompted, enter the following details for the certificate:
- Country Name (2-letter code, e.g., US)
- State or Province Name (full name, e.g., California)
- Locality Name (city, e.g., Oakland)
- Organization Name (e.g., MyCompany)
- Common Name (e.g., hvrhubserver.local). This is the hostname that is required in the next step.
- Email Address (e.g., admin@yourcompany.com)
Do not enter any values for 'extra' attributes. Do not enter a password.
Create a certificate extensions configuration file (e.g., hvrhubserver.ext) in the /etc/ssl directory to define the Subject Alternative Names (SANs) for the Hub Server’s SSL certificate. Replace the DNS.1 value with the hostname of your HVR Hub Server. In this example, the hostname (the Common Name entered in the previous command) for the HVR Hub Server is hvrhubserver.local.
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = [hvrhubserver.local]This allows the certificate to be valid for multiple domain names or IP addresses, not just a single hostname.
Generate the HVR Hub Server‘s self-signed public certificate, valid for 1825 days:
Use the CA to sign the CSR and generate the Hub Server’s public certificate.
openssl x509 -req -in hvrhubserver.csr -CA hvr6.pem -CAkey hvr6.key -CAcreateserial -out hvrhubserver.pub_cert -days 825 -sha256 -extfile hvrhubserver.extThe following is displayed upon successful completion of the command’s execution:
Signature ok subject=/C=US/ST=California/L=Oakland/O=MyCompany/CN=hvrhubserver.local/emailAddress=info@fivetran.com Getting CA Private KeyBy signing the CSR, the CA verifies and validates the Hub Server’s identity and issues a public certificate that confirms the server’s legitimacy. The CA uses its private key (hvr6.key) to sign the CSR. This process creates a unique digital signature that can be verified against the CA’s public certificate (hvr6.pem), establishing a chain of trust.
The above commands create the following files in your /etc/ssl directory:
- hvrhubserver.priv_key
- hvrhubserver.pub_cert
Using a Script
To save time, you can use the bash script provided below to automate the creation of the CA and self-signed certificates for the HVR Hub Server.
- This script requires OpenSSL.
- This script is designed for Unix-like environments. If you’re using Windows, you have two options:
- Run the script on a Linux or macOS machine to generate the certificates, then transfer the resulting certificate files to your Windows machine.
- Modify the script to make it compatible with Windows syntax, such as updating the cat command and variable references.
Save the following script (e.g., create_certificates.sh):
#### Add below the DNS names for your hubserver DNS4=hvr6 DNS5=hvr6.rikthefrog.eu DNS6=hvr6.rikthefrog.local openssl req -x509 -nodes -new -sha512 \ -days 365 -newkey rsa:4096 -keyout ca.key \ -out ca.pem -subj "/C=US/CN=Fivetran" openssl x509 -outform pem -in ca.pem -out ca.crt cat > v3.ext <<-EOF authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] #### Local hosts DNS.1 = localhost DNS.2 = 127.0.0.1 DNS.3 = ::1 #### List your domain names here DNS.4 = ${DNS4} DNS.5 = ${DNS5} DNS.6 = ${DNS6} EOF openssl req -new -nodes -newkey rsa:4096 \ -keyout hvrhubserver.priv_key -out hvrhubserver.csr \ -subj "/C=US/ST=CA/L=Oakland/O=Fivetran/CN=hvrhubserver" openssl x509 -req -sha512 -days 365 \ -extfile v3.ext \ -CA ca.crt -CAkey ca.key -CAcreateserial \ -in hvrhubserver.csr \ -out hvrhubserver.pub_certUpdate the script to specify the Hub Server’s DNS names (e.g., DNS4, DNS5, DNS6).
Execute the script:
./create_certificates.shThis will generate:
- The CA’s private key and root certificate (hvr6.key and hvr6.pem).
- The HVR Hub Server private key and public certificate (hvrhubserver.priv_key and hvrhubserver.pub_cert).
Copy Certificates to the Hub Server
Copy the self-signed certificates (hvrhubserver.priv_key and hvrhubserver.pub_cert) to the $HVR_CONFIG/etc/cert directory of the HVR Hub Server. This allows you to configure the HVR Hub Server with HTTPS. This step is normally performed while installing the HVR Hub.
Install the Root Certificate on Your Machine
To trust the server certificate, each machine accessing the HVR Hub Server must recognize hvr6.pem as a trusted root certificate.
Linux
Copy the certificate file (hvr6.pem) to the system’s trusted certificate directory, often located at /usr/local/share/ca-certificates/ or /etc/ssl/certs/.
Run the following command to update the certificate store and add the hvr6.pem certificate is added to the system-wide list of trusted certificates system-wide:
sudo update-ca-certificates
MacOS
Copy the certificate file (hvr6.pem) to the documents/keys directory.
Run the following command to add the hvr6.pem certificate to the system keychain as a trusted root certificate:
sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" ~/Documents/keys/hvr6.pemAlternatively, you can open the Keychain Access app, go to File > Import Items…, select hvr6.pem, and mark it as trusted.
Windows
Copy the certificate file (hvr6.pem) to your Windows machine.
Run the following command to add the hvr6.pem certificate to the Trusted Root Certification Authorities store:
certutil.exe -addstore root .\hvr6.pemAlternatively, you can open Manage User Certificates, right-click Trusted Root Certification Authorities > Certificates, select All Tasks > Import, and choose hvr6.pem.