SSL Certs & Security
- Goto servicenow.llnl.gov and submit a request for getting a SSL certificate
- This will start the process of getting you a digicert account. They will then send you emails on what steps need to be completed for getting a cert for your domain.
- When you're on the Digicert site and filling out their forms, you need to add a SAN for both sdk.testing and psij.testing because those are sub sub domains, rather than sub domains. The wildcard cert only applies to *.domain, not ..domain
- Do the CSR stuff for generating the server.key file.
- As one of their steps, they want you prove ownership of domain. you do that with a TXT entry in your DNS. you can do that here: https://domains.google.com/.
- Once you have the certs downloaded from digicert, you can copy them to the server.
- sudo vi /etc/nginx/conf.d/default.conf
- Add the following:
- The files listed above should be inside the cert.zip you got from digicert, except for the *.key file which you created in the CSR creation process.
- sudo systemctl restart nginx
If your cert has some error or other issue, you can use the following URL: https://www.digicert.com/help/
If you are hosting the website within an EC2, you can utilize an application load balancer (ALB). You can find some documentation here: https://repost.aws/knowledge-center/elb-redirect-http-to-https-using-alb
LLNL security team would like us to install agents in order to monitor the server for security issues. Installation of Nessus is detailed here: https://myconfluence.llnl.gov/pages/viewpage.action?spaceKey=CSP&title=Linux+Nessus+Agent#LinuxNessusAgent-NessusAgentInstallation
Also, you will need to install crowdStrike. You will need a crowdstrike token provided by Paul Ibarra. Here are the instructions for installing crowdstrike: https://www.crowdstrike.com/blog/tech-center/install-falcon-sensor-for-linux/