-
Notifications
You must be signed in to change notification settings - Fork 10
Renew SSL Certificates Externally
Emmanuel Nwakire edited this page Jul 12, 2024
·
15 revisions
- Reach out to DigiCert for renewal of SSL certificates.
- NOTE: Only 1 unit per certificate is required, 3 certificates are required, 1 for each server
- Include Blake and Blaine (Product Owners) to approve the purchase and send the DigiCert representative to the VA procurement office
- Request a copy of the purchase order number
- After the purchase has been confirmed you will need to create CSRs for each of the certificates
- Load up any Linux instance, or terminal instance and run the following command
openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
- Follow the prompt as follows:
Country name (2 letter code): US
State or Province Name (full name): District of Columbia
Locality Name (eg, city): Washington
Organization Name (eg, company): Department of Veterans Affairs
Organizational Unit (eg, section): VHA
Common Name (eg, your name or your server's hostname): Marketplace.va.gov
Email Address: [email protected]
-
Skip
Challenge Passwordhit enter to skip -
Skip
Optional company namehit enter to skip -
NOTE: Remember where you put the private key for the CSR.
Complete the following information
Action needed for certificate request: Renew Existing Certificate
What type of certificate do you need: Accessed by VA staff, other Agency Staff, & General Population
Check box: Yes. I have completed Certificate Signing Request (CSR): Yes
URL, Common Name, Friendly Name, or Fully Qualified Domain Name (FQDN): marketplace.va.gov, staging.marketplace.va.gov, dev.marketplace.va.gov
Total Amount of Units Required: 3
Amount of Years: 1
Purchase Order Number or DEAL ID: (Provided after purchase of DigiCert completed)
- Attach the CSR's for all three certificates to the ticket and submit.
- Once you have received the DigiCert certificates save them locally
- You will need to extract the SSL Certificate from the zip files sent to your inbox.
- Convert the Certificates to either p12 or pfx format using openssl in bash terminal
openssl pkcs12 -export -inkey your_private_key.key -in your_certificate.cer -out final_result.p12- If this stalls out or continues to spin prefix the command with
winpty openssl pkcs12 -export -inkey your_private_key.key -in your_certificate.cer -out final_result.p12 - If you have questions regarding the inputs or run into errors contact DevOps team.
- Save the conversions and remember the password that was created for the certificates
- Once converted you will need to submit a new ticket in YourIT and send the p12 files along with password to the [email protected] distro.
- Select Incident
- Select Normal Issue
- Provide the following information in the incident request:
Urgency: 2 (Customer Work Stoppage)
Category: Software
Sub-Category: Web or Server
Brief Description: Need to update our external SSL Certificates
Detailed Description: Our external web application is ready to update our SSL Certificates that were provided
to us by DigiCert. We have emailed the requested files and password to [email protected]. Please
let us know if additional information is required.
- There may be an instance where we need to submit a change ticket.
- instructions for submitting a ticket can be found here KB0110510
- if this is urgent, please reach out to [email protected] and ask that the ticket be changed to an emergency.
- Follow instructions you receive through e-mail with members from Network Operations.
- Once the Network Operations Team has completed the update of the SSL certificates run the following tests
- In order to update the Load Balancer, you will need to have access to VADM AWS account.
- Navigate to AWS DASHBOARD-> Search for ACM-> import certificate -> Paste PEM key in the Certificate body-> Paste Private key in Private key body -> tag the particular certs for example DEVCERTS2024 -> import certificate -> check the expiry date and make sure it expires a year later.
- Navigate to AWS DASHBOARD -> EC2 -> instance(Running)-> Scroll down to Load Balancer -> choose the instance -> select the
Listenerstab -> Clickchangeon the right side of the SSL certificate. - Select
choose a certificate from ACM. - In the drop-down, select the appropriate certificate for each specific server and save.
- Put the domain into the search and confirm an A+ Scorecard at SSL LABS
- Navigate to dev, staging, and prod in the browser.
- Confirm the site is up and running externally
- Confirm the new SSL Certificates have been uploaded:
- Click on the padlock in the URL bar
- Select
connection is secure - Confirm
certificate is valid - The new SSL Certificate should appear with a 1-year expiration date
- Close out any stories associated with this action
- Update the calendar to reflect a new reminder date 2 months before the current SSL Certificates expiration.
- The next certificate renewal Date is for June 11, 2025.
- A reminder has been set for May 11, 2025, to look into renewing before expiration.