Installation

PageSeeder installation and upgrade instructions

Configuring SSL

Using SSL (Secure Sockets Layer) will encrypt transmissions between web browsers and PageSeeder to provide extra security. To do this you need to create a private key, create a certificate by having your public key signed by yourself or a certificate authority and then install both on your proxy server or in Tomcat.

Note

The instructions below are for Linux CentOS.

Create private key

If not done already install OpenSSL by entering:

yum install openssl

Create a private key be entering the command below. Make sure you can remember the passphrase you are asked for as you will need it later.

openssl genrsa -des3 -out mydomain.key 2048

Create SSL certificate

Creating a certificate signing request as follows:

sudo openssl req -new -key mydomain.key -out mydomain.csr

This command will prompt for fields that need to be filled in.

The most important field is "Common Name" which should be the domain name of your server. If you want the certificate to cover multiple sub-domains you can use *.mycompany.com.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:NSW
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACME Inc
Organizational Unit Name (eg, section) []:My Department
Common Name (e.g. server FQDN or YOUR name) []:myserver.mycompany.com                  
Email Address []:webmaster@mycompany.com

Certificate authority signs your certificate

To ensure web browsers accept your certificate without warning messages you need to send your .csr file to a Certificate Authority to have it signed. They will typically return to you an individual .crt file for your domain and a bundle .crt file containing their own certificates. These need to be concatenated in the correct order, for example:

cat mydomain_individual.crt ca_bundle.crt > mydomain.crt

Self-sign your SSL certificate

Alternatively for testing you could sign the certificate yourself but it will only be accepted by web browsers after warning the user. You can specify how long the certificate should remain valid by changing the 365 to the number of days you prefer. To create a self-signed certificate you could enter:

openssl x509 -req -days 365 -in mydomain.csr -signkey mydomain.key -out mydomain.crt

Install certificate

Nginx

If you are using Nginx as a reverse proxy for PageSeeder you will need to install your certificate there.

Remove the Key Passphrase

To install an SSL certificate on Nginx it is easier to first remove the passphrase. Thought the passphrase does provide extra protection removing it saves you from having to re-enter the passphrase every time Nginx is restarted. To do this use the following commands:

mv mydomain.key mydomain.key.orig
openssl rsa -in mydomain.key.org -out mydomain.key

Configure Nginx

Copy the key and certificate to Nginx as follows:

mkdir -p /etc/nginx/ssl/pageseeder
cp mydomain.key /etc/nginx/ssl/pageseeder/
cp mydomain.crt /etc/nginx/ssl/pageseeder/

Modify the nginx.conf file as described in Configuring a proxy and restart the nginx service.

Tomcat

If you are not using a proxy like Nginx and your website port is larger than 1024 (e.g. 8443) you can configure Tomcat to use SSL is as follows:

  1. Create a .keystore or .jks file using the Java keytool utility. PageSeeder includes a self-signed certificate for localhost under pageseeder/webapp/WEB-INF/config/pslocalhost.keystore (password pslocalxyz) which can be used for testing.
  2. Obtain an SSL certificate for your server's domain name from a certificate provider or self-sign it and add it to your keystore file. Then copy it to your server and make sure you know your keystore password.
  3. Stop your PageSeeder service if it is running and start the pageseeder-x.exe for Windows or enter pageseeder service config for Linux.
  4. Follow the installer prompts and select "Enable SSL".
  5. When prompted enter the path to your SSL certificate keystore file and its password.
  6. For "List of ports to redirect from" (Windows only) you may wish to add other ports that your PageSeeder was previously using so that users are automatically redirected to use SSL (e.g. 80,8080).
  7. Finish the installation.

Converting existing .keystore or .jks to .key

If you have existing .keystore or .jks files that you need to use with Nginx they can be converted using the Java keytool and openssl as follows:

keytool -importkeystore -srckeystore mydomain.jks -destkeystore mydomain.p12 -srcstoretype jks -deststoretype pkcs12
openssl pkcs12 -in mydomain.p12 -nocerts -out mydomain.pem
openssl rsa -in mydomain.pem -out mydomain.key

Created on , last edited on