How to Replacing httpd self signed SSL certificates with trusted CA signed certificates in Postgres Enterprise Manager

January 20, 2023

1. Stop the httpd service using the below command on the server where your web services (httpd) is configured:

e.g.

systemctl stop httpd (RHEL 7.x)

/etc/init.d/httpd stop (RHEL 6.x)

2. Change the current directory to ‘/usr/edb/pem/resources’

 

[root@localhost resources]# cd /usr/edb/pem/resources

 

You should have the following self signed certificate and its key file:

 

[root@localhost resources]# ls -ltrh

total 12K

-rw-r--r--. 1 root root 3.7K May 17 11:19 pem-server-random.sql.in

-rw-rw-r--. 1 root root 3.2K May 17 11:19 server-pem.key

-rw-rw-r--. 1 root root 2.2K May 17 11:19 server-pem.crt

 

3. Take the backup of the certificate and the key before we replace them with trusted CA certificates.

 

4. After taking the backup, remove the certificate and the key file from location “/usr/edb/epm/resources”:

 

[root@localhost resources]# rm server-pem.*

rm: remove regular file 'server-pem.crt'? y

rm: remove regular file 'server-pem.key'? y

 

5. Place your trusted CA certificate, Intermediate certificate and the key in the same location as shown below. Please change the permissions to root and chmod 664:

 

[root@localhost resources]# ls -ltrh

total 16K

-rw-r--r--. 1 root root 3.7K May 17 11:19 pem-server-random.sql.in

-rw-rw-r--. 1 root root 4.0K Jul 18 12:59 GandiStandardSSLCA2.pem

-rw-rw-r--. 1 root root 3.2K Jul 18 12:59 test.enterprisedb.com.key

-rw-rw-r--. 1 root root 2.5K Jul 18 12:59 test.enterprisedb.com.crt

 

6. You can see that I have “test.enterprisedb.com.crt” certificate and “test.enterprisedb.com.key” key file and “GandiStandardSSLCA2.pem” SSL cert chain file. I have made sure to setup the hostname and DNS to test.enterprisedb.com so that the flow could work correctly. To check the network connectivity you can use “ping” utility from another server to check if pinging the hostname resolves or not.

 

ping test.enterprisedb.com  —— (This should be done from another server in the network)

 

7. After placing the certificate, key and chain file, you need to modify following lines from the file “/etc/httpd/conf.d/edb-ssl-pem.conf”:

 

#   General setup for the virtual host

DocumentRoot "/usr/edb/pem/web"

ServerName test.enterprisedb.com:8443


SSLEngine on



SSLCertificateFile "/usr/edb/pem/resources/test.enterprisedb.com.crt"

SSLCertificateKeyFile "/usr/edb/pem/resources/test.enterprisedb.com.key"

SSLCertificateChainFile "/usr/edb/pem/resources/GandiStandardSSLCA2.pem"

 

8. You also need to modify the “/etc/httpd/conf/httpd.conf” for below parameters:

 

ServerName test.enterprisedb.com:8443

 

9. Please start the httpd service using the below command:

 

systemctl start httpd (CentOS/RHEL 7)

/etc/init.d/httpd24-httpd start (CentOS/RHEL 6)

 

10. If the httpd service starts successfully, then please verify by opening the web client. I used the following url to verify the certificates and it was not showing as “Not Secure” in the browser address bar. I have added the below screen shot as well:

 

https://test.enterprisedb.com:8443/pem

NOTE: Please make sure that the test.enterprisedb.com or whatever is the hostname of the PEM server, the server from which you are opening the web client should resolve it at the network level otherwise the browser will not be able to open the web client.

Share this

Relevant Blogs

Why you should use Docker Compose

h2 { text-align: left !important; } .summary{ background:#f3f7f9; padding:20px; } SUMMARY: This article explains the benefits of using Docker Compose for creating multiple container applications. It reviews the steps for...
January 24, 2023

More Blogs

Quickstart guide on using pgPool

Steps (as root user)   #!/bin/bash   # Setup YUM repository for installing EPAS as the PEM # repository rpm -Uvh   # Set YUM username/password in edb.repo export YUM_USER=
January 24, 2023

Using auth_method=hba in PgBouncer

Introduction PgBouncer is a great tool for improving database performance with connection pooling.  I've been using it for many years, since it first became available in 2007.  Since then, several...
January 23, 2023