Overview

As an Administrator of your LM system, you want to secure connections to your site using Secure Socketed Layers (SSL) or you want to replace your existing SSL Certificate with a new one because the existing certificate is expiring. You also want to know what SSL_CIPHERS are supported.

Solution

If you are configuring SSL for the first time, follow the steps to Create a Certificate Signing Request (CSR) that you will submit to your Certificate Authority, such as Verisign or GoDaddy. After you submit your CSR or process a renewal to replace an existing certificate or if you receive an error message "Did Not Connect: Potential Security Issue" in your browser while logging in, it is due to an expired SSL certificate and needs to be renewed, follow the steps to Install an SSL Certificate.

Create a Certificate Signing Request (CSR)

Skip this section and proceed to Install an SSL Certificate if you already have a certificate installed and need to replace it with the one you have received from your Certificate Authority.

Run the command prompt as an Administrator and cd to the certs directory ...listmanager\tclweb\bin\certs
Most new SSL certificates are now 2048-bit encrypted. By default the SSL config file openssl.conf found in the certs directory ...listmanager\tclweb\bin\certs is set to 1024. You will need to update this if your key is not 1024-bit. To do this, update the file openssl.conf and edit the line default_bits=1024 to default_bits= 2048
Generate a CSR file (Certificate Request) and the private key file by entering the command below:
openssl req -new -nodes -keyout skey.pem -out public.csr -config openssl.conf
After entering this command, you will be prompted for information about your company. Make sure that your Common Name is correct or your CSR will get rejected.

Although not all fields are required, we recommend completing the following when generating your CSR:

Common name (CN): This field is required and must be your site's fully-qualified domain name (FQDN) e.g., www.example.com
Company (or Organization – O): Your company's legally registered name e.g., Example, Inc.
Company division (or Organization Unit – OU): The name of your department within the organization. You can leave this option blank; simply press Enter.
Country (C): The two-letter country code where your company is legally located
State (S): The state/province where your company is legally located
Locality (L) or City: The city where your company is legally located

Note: If you wish, you can edit the openssl.cnf file to provide default information for your organization so you don't have to type it each time you create a certificate. Verisign ( http://www.verisign.com ) has some example input for creating the certificate request.

You will have generated two files in the certs directory. Your public key for requesting a certificate ( public.csr ) and a private key (skey.pem). These files should be protected from the outside world

Submit the CSR file ( public.csr ) you created to your Certifying Authority (CA)
The certificate request (CSR) should look similar to:

To test SSL, you can request a temporary (15 day) license from Verisign by looking for the free SSL Trial ID offer. In order to use this test license, you will also have to install a Client Certificate ("Test CA Root") into the client browser you are planning to use.

Fill out the Certificate Authority's required technical contact information and submit it.

You will receive your certificate via email.

Install an SSL Certificate

Use this section to install a new certificate or replace an existing certificate with one that has been renewed.

Find the certificate you received from the certificate authority, copy it into a text file, and save it as server.pem - The extension must be '.pem'
Place or replace the server.pem file into ListManager's certs directory ...\listmanager\tclweb\bin\certs. Make sure the skey.pem file (from step 3 above) is there also.
If you are updating an existing certificate by replacing it, you are done and can proceed to the Testing section below.
If you are enabling SSL for the first time, turn on the SSL option for the ListManager webserver
1. Open the tclhttpd.rc file located in the bin directory ...listmanager\tclweb\bin with a plain text editor (such as Notepad or Wordpad) and edit the following line to be as follows:
```
Config USE_SSL2 0
Config USE_SSL3 0
Config USE_TLS1 1
```
  By default this option is off (0). Notice that USE_SSL2 and USE_SSL3 should be set to 0 as these protocols are no longer secure
Add a list of SSL ciphers to support, if necessary, to the Config SSL_CIPHERS setting
Config SSL_CIPHERS { } Use one of the Supported SSL Cipher Configuration strings from the Supported SSL_CIPHERS in LM article to configure your SSL Ciphers.
Note: OpenSSL provides the SSL support for TclHttpd. The TclHttpd setting Config SSL_CIPHERS { } takes a string of the same form expected by OpenSSL's "ciphers" command:
opensslciphers [-v] [-V] [-ssl2] [-ssl3] [-tls1] [cipherlist]
Note that multiple ciphers are listed with ":" (colon) between each cipher name.

Back to top

Testing

Stop both ListManager and ListManager Web services
Open a command prompt
1. cd to the listmanager directory ...\listmanager
2. Run the command: lm start
Open a new command prompt
1. cd to the bin directory ...\listmanager\tclweb\bin
2. Run the command: httpd-lm
  Verify output like this:
```
Server running on port 80
SSL started on https:// port 443
```
Stop ListManager in both command prompts
1. 1. Press CTRL + C to shutdown
Start both ListManager services as normal

When connecting using HTTPS the newly installed or updated certificate is presented and used to secure the connection.

Back to top

Enforcing TLS 1.2 or 1.3 in Lyris LM Through an Nginx Reverse Proxy

Install or Update SSL Certificates in LM

Overview

Solution

Create a Certificate Signing Request (CSR)

Install an SSL Certificate

Testing

Related Articles

Overview

Solution

Create a Certificate Signing Request (CSR)

Install an SSL Certificate

Testing

Related Articles

Related articles