Skip to main content

Configuring HTTPS

GGCE API and Web application traffic need to be secured with SSL certificates and endpoints only accessible through https. The following steps are involved in enabling https:

  1. Register GGCE domain names in the DNS
  2. Generate a new SSL private key and a Certificate Signing Request (CSR)
    • On Windows you can use IIS to generate and sign certificates and skip the remaining steps!
  3. Submit the CSR to a Certificate Authority for signature
  4. Apply signed certificate and private key to GGCE

DNS names

GGCE requires two names to be registered in your organization's DNS: one for the GGCE web interface and one for the API server.

First, pick a name where users will access the web interface. Here are some suggestions, assuming that the internal network domain is internal.lan:

  • ggce.genebank.internal.lan
  • ggce.internal.lan
  • pick-your-own.internal.lan

The name for the API server can be one of:

  • ggce-api.genebank.internal.lan
  • ggce-api.internal.lan
  • pick-your-own-api.internal.lan

Ask your network administrator to add the two DNS entries to the DHCP/DNS as CNAME records pointing to your Docker host.

Generate a Certificate Signing Request

Use the configuration template ggce-ssl.conf shown below to specify the advanced configuration of the GGCE certificate. Update the configuration according to your needs.

ggce-ssl.conf
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[req_distinguished_name]
C = DE
O = Crop Trust
OU = Genebank
CN = GGCE
DC = lan
0.DC = internal

[req_ext]
keyUsage = digitalSignature
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = ggce.internal.lan
DNS.2 = ggce-api.internal.lan

Create a new private key in ggce.key and a CSR ggce.req to be submitted to the Certificate Authority for signature:

openssl req -out ggce.req -keyout ggce.key -newkey rsa:2048 -nodes -sha256 -config ggce-ssl.conf
tip

OpenSSL is installed on Linux and Mac systems and is available for Windows. It provides the openssl command.

Sign the CSR

The Domain Controller DC on your network usually provides Certificate Services and a CA certificate that is trusted by all computers in the domain.

Domain Administrator privileges required

Certificate not issued (Denied) Denied by Policy Module The permissions on the certificate template do not allow the current user to enroll for this type of certificate.

cmd.exe needs to be "Run as..." a user with Domain Administrator privileges.

Send the ggce.req file to your Domain Administrator. They will sign the CSR by running the following command in cmd.exe:

certreq -submit -attrib "CertificateTemplate:WebServer" ggce.req ggce.pem

This command will prompt the Domain Administrator to select the signing CA and will save the signed certificate as ggce.pem. The Administrator should send this file back and it needs to be added to the traefik/ subfolder.

Alternatives

If you do not have a CA available for your domain, you can use a self-signed CA. Contact support+ssl@ggce.genesys-pgr.org for assistance.