If you plan on adding an SSL-Client Certificate to your instance you have to have Inventory configured to use HTTPS as explained in this guide. After that you need to create a certificate file for the express purpose of client authentication. This guide will use commands for openssl. Please follow all prompts openssl shows you.
Create a certificate autority
To create a certificate for client authentication you need to create a "certificate authority" beforehand.
First navigate to the folder where you want to save the certificate in a command line/ powershell.
Then use the following commands to create the certificate authority:
- openssl genrsa -des3 -out ot-base_CA.key 2048
- openssl req -x509 -new -nodes -key ot-base_CA.key -sha256 -days 1825 -out ot-base_CA.crt
Create the client certificate
The next step is to create the client certificate using the following commands, in the same folder as the certificate authority you created beforehand:
- openssl genrsa -out client.key 4096
- openssl req -new -key client.key -out client.req
- openssl x509 -req -in client.req -CA ot-base_CA.crt -CAkey ot-base_CA.key -set_serial 101 -extensions client -days 1825 -outform PEM -out client.crt
- openssl pkcs12 -export -inkey client.key -in client.crt -out otbase-inventory.p12
Save the password you gave the "otbase-inventory.p12" in a secure place since you need it when you import the .p12 into a browser.
Once the certificates are created you need to copy the "ot-base_CA.crt" to the "config" folder on the Inventory server. This directory is located here "/var/ot-base/config" if the host operating system is Linux, or here "%ProgramData%\Langner\OT-BASE Asset Center\config" if the host operating system is Windows (note that the ProgramData folder is hidden).
Make Inventory use the Client Certificate
Once the certificate is copied you need to change a file in the Inventory docker container with the steps below.
- Open the command line on the docker host
- Open the command line of the Inventory container by using the command: "docker exec -it ot-base bash" and pressing enter
- Type in "nano /etc/apache2/sites-available/001-ssl.conf" and press enter
- In the opened file add the following lines after "SSLEngine on":
- SSLVerifyClient require
- SSLVerifyDepth 1
- SSLCACertificateFile /var/otb_config/ot-base_CA.crt
- Press CRTL+O
- Press enter
- Press CTRL+X
- Press CTRL+D
- Type in "docker exec ot-base reload" and press enter
A message will appear stating that Site "001-ssl" is now enabled. Your server is now secured by a client certificate. You can now close the command line.
This last step where you make Inventory use the client certificate needs to be done after each update of OTbase Inventory.
Please note that you now need to use this client certificate in Discovery, if you use automated exports, as explained in this guide under "Using HTTP or HTTPS".
To gain access to the Inventory webpage you now need to install the "otbase-inventory.p12" in your browser as explained in this guide.