Install a Purchased SSL/TLS Certificate
This section explains how to install purchased SSL/TLS certificates into Clarity LIMS v5 and later. Clarity LIMS can work with Named or WildCard certificates.
Typically, the process to install the certificates into Clarity LIMS is as follows:
1. | Request a certificate from your IT organization, or purchase a certificate from a third-party SSL/TLS vendor. |
2. | Install the certificate using the script installCertificates.sh provided with Clarity LIMS. This script prompts for the required inputs and helps you to configure Clarity LIMS to use your SSL/TLS certificate. |
Some IT organizations have preexisting certificates issued by an internal organization, typically referred to as an 'internal CA.' These internal CA certificates are not fully compatible with Java, and prevent the automation worker—and all integrations—from properly communicating with the Clarity LIMS server. Internal CA certificates are therefore not supported in Clarity LIMS.
You will need your organization or the third-party SSL/TLS vendor to provide you with the following:
• | An Apache 2.4-compatible SSL/TLS certificate |
• | The certificate private key |
• | The corresponding certificate chain, properly prepared for Apache 2.4. This component may not be required, depending on the organization that signs your certificate. |
Your IT organization might provide you with a WildCard certificate. Clarity LIMS can use WildCard certificates, as long as the Apache 2.4-compatible certificate, private key, and certificate chain files are provided.
If purchasing from a third-party vendor, make sure that the vendor provides you with an Apache 2.4-compatible bundle that includes the components listed above. To purchase from a vendor, refer to their documentation.
By default, a private key has a password associated with it. On startup, Apache requests a passphrase to access the private key. You can use either of the following methods to resolve this issue:
Method 1 — Place a passphrase file on the system and reference it in your clarity.conf file.
1. Create a passphrase file in a directory that has read, write, and execute permissions for only the root or apache user.
#! /bin/bash
echo "privatekeypassword"
2. Edit the clarity.conf file. The clarity.conf file is in the /etc/httpd/conf.d directory.
Add the following line to your clarity.conf file, before the <VirtualHost> section:
SSLPassPhraseDialog exec:/path/to/passphrase-script
Method 2 — Remove the passphrase from the key.
Removing the passphrase from an OpenSSL key is a security risk. Only remove the passphrase if you know that this risk is acceptable.
Remove the password from an OpenSSL key using the following command:
% openssl rsa -in private.key -out private_nopassphrase.key
Assumptions and Prerequisites
• | You have installed Clarity LIMS and have run the 40_install_proxy.sh script. |
• | You have OpenSSL (installed by default on the Clarity LIMS Linux server when you install Clarity LIMS). OpenSSL is used by the installCertificates.sh script. |
• | You have the files listed in the following table (obtained from the process described previously) available on the Clarity LIMS server. In the example shown below, these files are in the /tmp/certs directory. |
File Description |
Example File Name (used in the examples that follow) |
---|---|
Apache private key |
private.key |
Signed SSL/TLS Certificate |
customer_domain.crt |
Intermediate chain file (optional) |
intermediate.crt |
Install the Signed SSL/TLS Certificates
On the Clarity LIMS server, as the root user, run the installCertificates.sh script:
[root@doclarity04 ~]# cd /opt/gls/clarity/config/
[root@doclarity04 config]# bash installCertificates.sh
Java KeyTool detected
This script will prompt you to supply the required SSL Certificates for your ClarityLIMS server.
These files include:
- A private key file and signed Certificate file for use by apache.
- Optionally, depending on the organization that signs your Certificate, you may receive a 'Chain' file.
Enter the full path to the SSL Private Key for your server:/tmp/certs/private.key
Enter the full path to the Apache Certificate for your server - This is the Certificate signed by the SSL Vendor or Certificate Authority:/tmp/certs/customer_domain.crt
Enter the full path to the SSL Vendor Chain file:/tmp/certs/intermediate.crt
INFO: Testing Apache
Syntax OK
Apache Proxy is ready