Placing Your Own TLS Key for the Web Server to Use

August 15, 2019
F
Placing Your Own TLS Key for the Web Server to Use

This approach only works if you have created an actual DNS hostname for the AC-Hunter system and access it with a URL like https://achunter.mydomain.com (https://achunter.mydomain.com) , as opposed to accessing it with an IP address such as https://1.2.3.4 (https://1.2.3.4) .

On the AC-Hunter system, make a backup of the original key and certificate with:

sudo cp -p /etc/AC-Hunter/private.key /etc/AC-Hunter/private.key.orig
sudo cp -p /etc/AC-Hunter/public.crt /etc/AC-Hunter/public.crt.orig

Create the keys for the hostname you use. To use the built-in openssl command on the AC-Hunter system, ssh to it and run:

openssl req -new -newkey rsa:2048 -nodes -keyout SERVER_NAME.key -out SERVER_NAME.csr

Send this “.csr” (Certificate Signing Request) file and any other requested information to your chosen Certificate Authority and pay to have it signed. They’ll return a signed certificate file.

Please save a copy of the key, csr, and crt files in a different system.

Copy the key you generated above to /etc/AC-Hunter/private.key on the AC-Hunter system.

Download the certificate you received from the CA to /etc/AC-Hunter/public.crt on the AC-Hunter server.

If your Certificate Authority provides root and/or intermediate certificates as well, these need to go into the public.crt file too!  The order does matter; your server certificate goes at the top of that file, followed by the intermediate certificate, then the CA root certificate.

As the user under which AC-Hunter was installed, run:

sudo chown root /etc/AC-Hunter/public.crt /etc/AC-Hunter/private.key
sudo chmod 644 /etc/AC-Hunter/public.crt /etc/AC-Hunter/private.key
sudo hunt up -d --force-recreate web

Now go back to your web browser and reload the AC-Hunter interface with Shift-Ctrl-R .

From this point on you should no longer see the warning about an unsigned certificate when starting AC-Hunter. To confirm that the new certificate is being used, go to https://achunters.host.name (https://achunters.host.name) and click on the lock to the left of the URL when it comes up (the steps to see certificate details vary between browsers). You should be able to see the details of your new certificate there; if you still see a certificate with the Organization set to either “OffensiveCounterMeasures” or “Active Countermeasures”, retry these steps or check with support.

We recommend setting a yearly reminder to replace the certificate before it expires.

Direct Link to this FAQ Item: https://portal.activecountermeasures.com/support/faq/?Display_FAQ=873

Category: Server Configurations & Functionality
Tags: