Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current Restore this Version View Page History

« Previous Version 2 Next »

arget release

Epic

Document status

DRAFT

Document owner

Trip Gilman

Designer

Tech lead

Technical writers

QA

Objective

Today SSL certificates are managed in several different places which makes updating existing certificates and issuing new certificates difficult and prone to errors. We currently have three separate certificate processes. Java based backend services use a password protected local key store to house certificates. The key store is maintained as part of the development code line and is distributed as part of the software’s package. Java services include:

  • Config Server

  • HIS

  • RMS

Core web based applications in AWS are fronted by a load balancer. We install the certificates into the Certificate Manager AWS service and apply those certificates to the load balancer using the AWS management console. The core web applications include:

  • App Manager

  • PopFlow

  • Data API

  • MediaBar

  • Connect API

  • Analytics

Queue Adapter is an outlier in that it follows the same process as the core web applications when deployed in AWS but has its own process when deployed on premise. When deployed on premise, Queue Adapter requires the installer to download an unsecured copy of the certificate and apply it to the Windows certificate manager. The installer must then assign the certificate to a specific port using Windows command line. Anyone with administrative access to the server can export the certificate and use it however they want.

Success metrics

Goal

Metric

Assumptions

Requirements

Requirement

User Story

Importance

Jira Issue

Notes

1

HIGH

2

 

 

 

 

 

User interaction and design

Open Questions

Question

Answer

Date Answered

Out of Scope

SSL Run-Book

Convert DER to PEM Format

This process must be performed on a machine with OpenSSL installed. File extension might be .cer, .crt, or .der for the source file.

  1. For each certificate file in DER format run the command openssl x509 -in original.cer -inform der -outform pem -out new_name.cer

Convert Individual Certificates into .p7b

This process must be performed on a machine with OpenSSL installed

  1. Ensure certificate files are in PEM format by opening in a text editor. If the file appears to have special characters or does not start with “-----BEGIN CERTIFICATE-----” it is in the DER format and needs converted. See Convert DER to PEM Format before proceeding.

  2. openssl crl2pkcs7 -nocrl -certfile certificate.cer -certfile intermediate.cer -out certificate.p7b

Convert .p7b and Private Key to .pfx (PKS12)

This document may contain confidential and/or privileged information belonging to OpenMethods. If you are not the intended recipient (or have received this document in error) please notify the sender immediately and destroy this document. Any unauthorized copying, disclosure, or distribution of the material in this document is strictly forbidden.