Articles in this section

Add an SSL-Client Certificate

  • Updated
Follow

If you plan on adding an SSL-Client Certificate to your instance you have to have Inventory configured to use HTTPS as explained in this guide. After that you need to create a certificate file for the express purpose of client authentication. This guide will use commands for openssl. Please follow all prompts openssl shows you.

Create a certificate autority

To create a certificate for client authentication you need to create a certificate authority beforehand.

First navigate to the folder where you want to save the certificate in a command line/ powershell.

Then use the following commands to create the certificate authority:

> openssl genrsa -des3 -out ot-base_CA.key 2048
> openssl req -x509 -new -nodes -key ot-base_CA.key -sha256 -days 1825 -out
    ot-base_CA.crt

Create the client certificate

The next step is to create the client certificate using the following commands, in the same folder as the certificate authority you created beforehand:

> openssl genrsa -out client.key 4096
> openssl req -new -key client.key -out client.req 
> openssl x509 -req -in client.req -CA ot-base_CA.crt -CAkey ot-base_CA.key
        -set_serial 101 -extensions client -days 1825 -outform PEM -out client.crt
> openssl pkcs12 -export -inkey client.key -in client.crt -out otbase-inventory.p12

Save the password you gave the otbase-inventory.p12 in a secure place since you need it when you import the .p12 into a browser.

Once the certificates are created, you will need to copy the ot-base_CA.crt file to the config folder on the Otbase Inventory server. This directory is located here /var/ot-base/config for Linux, and for Windows: %ProgramData%\Langner\OT-BASE Asset Center\config (If you cannot find the Program Data folder, please adjust your Folder options to show hidden files and folders)

 

Make Inventory use the Client Certificate

Once the certificate is copied, you will now need to change a file in the OTbase Inventory docker container with the steps below.

  1. Open the command line on the docker host
  2. Open the command line of the Inventory container by using the command: "docker exec -it ot-base bash" and pressing enter
  3. Type in "nano /etc/apache2/sites-available/001-ssl.conf" and press enter
  4. In the opened file add the following lines after "SSLEngine on":
    1. SSLVerifyClient require
    2. SSLVerifyDepth 1
    3. SSLCACertificateFile /var/otb_config/ot-base_CA.crt
  5. Press CRTL+O
  6. Press enter
  7. Press CTRL+X
  8. Press CTRL+D
  9. Type in "docker exec ot-base reload" and press enter

A message will appear stating that Site 001-ssl is now enabled. Your server is now secured by a client certificate. You can now close the command line.

This last step is where you make OTbase Inventory use the client certificate and  needs to be done after each update of OTbase Inventory.

Please note that you now need to use this client certificate in Discovery, if you use automated exports, as explained in this guide under the Using HTTP or HTTPS option.

To gain access to the OTbase Inventory webpage, you now need to install the otbase-inventory.p12 file in your browser as explained in this guide.

Related articles

Comments

0 comments

Please sign in to leave a comment.