Expert configuration
- Gerard Tuguigui
- Andrew Madge
Replacing the Snare Central encryption certificate
Snare Central generates its own, self-signed certificate for SSL/TLS. It uses this certificate for both encrypted web pages (https), and also to receive encrypted log data.
Although it is not recommended, custom certificates can be used to replace the self-signed certificate in Snare Central. The following instructions assume a reasonably high degree of experience with Unix-like operating systems.
Warning
When the default certificate is replaced by a custom certificate, care should be taken to NOT overwrite the certificate. A new certificate is generally created, whenever the host name is modified within the Snare Central configuration wizard.
If you do NOT wish to overwrite the certificate, please ensure that you choose the option: "DO NOT regenerate the SSL browser certificate even if the server name has changed" in the "General" configuration section of the Snare Central wizard.
The process required to generate a self-signed certificate varies depending on your chosen certificate provider. In general, the instructions available on your providers web site for the combination of 'Linux' and 'the Apache web server', will apply to Snare Central.
If no such documentation is available, the following general instructions may assist you with the process of requesting and installing a custom certificate:
Requesting a certificate
- Log into Snare Central as the user 'snare'
- Run the following command:
openssl req -new -newkey rsa:2048 -nodes -keyout snareserver.key -out snareserver.csr- NOTE: Your certificate provider may support key lengths greater than 2048 bytes.
- This command begins the process of generating two files: the Private-Key file for the decryption of your SSL Certificate, and a certificate signing request (CSR) file (used to apply for your SSL Certificate) with the openssl tool.
- When you are prompted for the Common Name, enter the fully qualified domain name for the site you are securing. If you are generating an Apache CSR for a Wildcard SSL Certificate, your common name should start with an asterisk (such as *.example.com).
- You will then be prompted for your organizational information (including geographic location).
- The file 'server.csr' will be created. Copy and paste the contents of this file, into the certificate order form of the organisation you will be purchasing your certificate from. You are likely to need to include the BEGIN and END sections of the content.
- The snareserver.key file, will be required later, for certificate installation.
- As a root-equivalent user (eg: sudo -s from the user snare), place the file into the directory /etc/apache2/ssl/
Installing the certificate
- You will receive a certificate from your certificate provider, and also, a 'Certificate Chain File'.
- Upload both of these files to Snare Central as
- /etc/apache2/ssl/snareserver.crt <for the certificate>
- /etc/apache2/ssl/cakeychain.crt <for the key chain certificate>
- Upload both of these files to Snare Central as
- Log into Snare Central as the user 'snare'
- sudo to root
- Make a backup, then edit the file /etc/apache2/sites-available/000-default-ssl.conf
- Find the following line:
SSLCertificateFile /etc/apache2/ssl/apache.pem
- Modify the line to:
SSLCertificateFile /etc/apache2/ssl/snareserver.pem
- After that line, add the following lines:
SSLCertificateKeyFile /etc/apache2/ssl/snareserver.keySSLCertificateChainFile /etc/apache2/ssl/cakeychain.crt
- Find the following line:
- As root, run the following command:
service apache2 restart
Warning
Although an upgrade to your Snare Central server will not overwrite your certificate, if the Apache configuration file needs to be updated for security or functionality reasons, there is a reasonable chance that your customisations to the Apache configuration file will be overwritten, returning your server back to a 'self signed' state.
After an update, please check your installation, and if required, reapply the 'Installation' information above.