Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    How to create a self-signed SSL certificate for the Apache of Aleph (use case: Relais sends NCIP over HTTPS requests to Aleph)

    • Article Type: General
    • Product: Aleph

    Desired Outcome Goal:
    Primary goal (scope of this KCS Article):
    A self-signed SSL certificate (signed with the Secure Hash Algorithm SHA-1) and the corresponding private key exist on the Aleph server.

    Secondary goal:
    The Apache webserver of Aleph can be configured to use this self-signed SSL certificate, so that the Relais Discovery to Delivery service can communicate with the Aleph NCIP server (via Apache and the Aleph WWW Server).

    Procedure:
    (1)
    Log on to the Aleph server as UNIX user aleph.


    (2)
    Change directory to /exlibris/tmp.


    (3)
    Create a parameter file (e.g. named self-cert.cnf) for the self-signed SSL certificate with the following contents:

    [req]
    prompt=no
    default_bits=2048
    encrypt_key=no
    default_md=sha1
    distinguished_name=dn
    string_mask=MASK:0002
    x509_extensions=ext
    [dn]
    CN=<hostname>
    [ext]
    subjectAltName=DNS:<hostname>,DNS:<alt_hostname>
    subjectKeyIdentifier=hash


    Note:
    =====
    You need to set the following two parameters:

    (3.1)
    CN=<hostname>

    Set this parameter to the full hostname which identifies the Apache webserver.

    Example:
    CN=alephprod.library.edu


    (3.2)
    subjectAltName=DNS:<hostname>,DNS:<alt_hostname>

    Set the first part of this parameter to the full hostname which identifies the Apache webserver.
    If there exists an alternative name which identifies the Apache webserver, set the second part of the parameter to that name.

    Example:
    subjectAltName=DNS:alephprod.library.edu,DNS:opac.library.edu


    (4)
    Execute the following command:

    $ openssl req -config ./self-cert.cnf -new -x509 -days 3650 -keyout ./self_sha1.key -out ./self_sha1.crt

    This command creates the self-signed SSL certificate file self_sha1.crt and the corresponding private key self_sha1.key (you can choose any name for these files).


    (5)
    Now you can enable this self-signed SSL certificate in the Apache of Aleph and proceed with the NCIP configuration in Aleph.

    Additional Information

    As of 27 March 2015, Relais Discovery to Delivery service BorrowDirect does not support SSL certificates signed with SHA-2, but requires certificates signed with SHA-1.