How to create a self-signed SSL certificate for the Apache of Aleph (use case: Relais sends NCIP over HTTPS requests to Aleph)
- Article Type: General
- Product: Aleph
Desired Outcome Goal:
Primary goal (scope of this KCS Article):
A self-signed SSL certificate (signed with the Secure Hash Algorithm SHA-1) and the corresponding private key exist on the Aleph server.
Secondary goal:
The Apache webserver of Aleph can be configured to use this self-signed SSL certificate, so that the Relais Discovery to Delivery service can communicate with the Aleph NCIP server (via Apache and the Aleph WWW Server).
Procedure:
(1)
Log on to the Aleph server as UNIX user aleph.
(2)
Change directory to /exlibris/tmp.
(3)
Create a parameter file (e.g. named self-cert.cnf) for the self-signed SSL certificate with the following contents:
[req]
prompt=no
default_bits=2048
encrypt_key=no
default_md=sha1
distinguished_name=dn
string_mask=MASK:0002
x509_extensions=ext
[dn]
CN=<hostname>
[ext]
subjectAltName=DNS:<hostname>,DNS:<alt_hostname>
subjectKeyIdentifier=hash
Note:
=====
You need to set the following two parameters:
(3.1)
CN=<hostname>
Set this parameter to the full hostname which identifies the Apache webserver.
Example:
CN=alephprod.library.edu
(3.2)
subjectAltName=DNS:<hostname>,DNS:<alt_hostname>
Set the first part of this parameter to the full hostname which identifies the Apache webserver.
If there exists an alternative name which identifies the Apache webserver, set the second part of the parameter to that name.
Example:
subjectAltName=DNS:alephprod.library.edu,DNS:opac.library.edu
(4)
Execute the following command:
$ openssl req -config ./self-cert.cnf -new -x509 -days 3650 -keyout ./self_sha1.key -out ./self_sha1.crt
This command creates the self-signed SSL certificate file self_sha1.crt and the corresponding private key self_sha1.key (you can choose any name for these files).
(5)
Now you can enable this self-signed SSL certificate in the Apache of Aleph and proceed with the NCIP configuration in Aleph.
Additional Information
As of 27 March 2015, Relais Discovery to Delivery service BorrowDirect does not support SSL certificates signed with SHA-2, but requires certificates signed with SHA-1.