Managing origin certificates

Origin certificates are free TLS certificates issued by IBM Cloud® Internet Services that encrypt traffic between your origin server and your users. Order free TLS certificates to install on your origin server.

CIS origin certificates are only valid for use in CIS.

Ordering an origin certificate

To order an origin certificate, provide a Certificate Signing Request (CSR) or select a private key type for CIS to generate a key and CSR.

Specify up to 100 hostnames (including wildcards) on your origin that the certificate protects. Wildcards only provide one level of coverage. Use multiple wildcards on the same certificate for broader coverage (for example, *.yourdomain.com and *.yoursubdomain.yourdomain.com). CIS Origin Certificates do not permit IP addresses.

Specify the expiration. The default certificate expiration is 15 years; the shortest expiration is seven days.

The private key is only available immediately after ordering a certificate if the private key and CSR were generated by CIS.

Installing an origin certificate on your server

Apache HTTPD

Order an origin certificate.
Copy the private key and origin certificate in PEM format into separate files to the directory on your server where you keep key and certificate files.
Locate your Apache configuration file. Typically, the filenames are httpd.conf or apache2.conf and the locations are /etc/httpd/ or /etc/apache2/. However, your configuration file might vary, especially if you use a special interface to manage your server. Refer to Apache's DistrosDefaultLayout for a complete list of default installation layouts. The following command is one way to search for the SSL configuration file on linux.
```
grep -i -r "SSLCertificateFile" /etc/httpd/
```
Locate the <VirtualHost> block to configure. Optionally, copy the existing non-secure virtual host for your site to be available via HTTP and HTTPS, because each type of connection requires a virtual host.
Configure the <VirtualHost> block for SSL. The following example represents a simple configuration for SSL. Use the filenames for your certificate and private key. SSLCertificateFile is your origin CA certificate filename and SSLCertificateKeyFile is your origin CA private key filename.
```
<VirtualHost 192.168.0.1:443>
  DocumentRoot             /var/www/html2
  ServerName               www.mydomain.com
  SSLEngine                on
  SSLCertificateFile       /path/to/your_domain_name.crt
  SSLCertificateKeyFile    /path/to/your_private.key
</VirtualHost>
```
Test your configuration. Before restarting Apache, verify there are no errors in your configuration files. Run the following command to test your configuration.
```
apachectl configtest
```
Restart Apache. Run the following commands to restart Apache with SSL support.
```
apachectl stop
apachectl start
```

If SSL support does not load with apache start, run the command apachectl startssl. If Apache only starts with SSL support using apachectl startssl, it is recommended to adjust the Apache startup configuration to include SSL support in the command apachectl start. Otherwise, in the event of a server reboot you could be required to manually restart Apache using apachectl startssl. This typically involves removing the <IfDefine SSL> and </IfDefine SSL> tags that enclose your configuration.

NGINX

Order an origin certificate.
Copy the private key and origin certificate in PEM format into separate files to the directory on your server where you keep key and certificate files.
Update your NGINX virtual hosts file. Edit the NGINX virtual host file for your website. The following example represents a server block for SSL support. Enable the ssl parameter on listening sockets in the server block for your site to be available via HTTP and HTTPS.
```
server {
  listen    80;
  listen    443;

  ssl       on;
  ssl_certificate         /path/to/your_certificate.pem;
  ssl_certificate_key     /path/to/your_private.key;
  location / {
    root    /home/www/public_html/yourdomain.com/public/;
    index   index.html;
  }
}
```
Restart NGINX. Run one of the following commands to restart NGINX.
```
sudo /etc/init.d/nginx restart
sudo systemctl restart nginx
```

Apache Tomcat

Order an origin certificate.
Copy the private key and origin certificate in PKCS #7 format (cert.p7b) into separate files to the directory on your server where you keep key and certificate files.

You must install the SSL Certificate file to the same keystore and under the same alias name (or, "server") that you used to generate your CSR. The installation in the next step does not work if the SSL Certificate file is installed to a different keystore.
Install the certificate. Run the following command to install the SSL Certificate file to your keystore.
```
keytool -import -trustcacerts -alias server -file cert.p7b -keystore your_site_name.jks
```
A confirmation message appears: "Certificate reply was installed in keystore." Enter y or yes if asked to trust the certificate. Your keystore file (your_site_name.jks) is now ready to use on your Tomcat Server.
Configure your SSL connector. Configure an SSL connector for Tomcat to be able to accept secure connections.
1. Open the Tomcat server.xml file in a text editor. The server.xml file is typically located in the conf folder of your Tomcat's home directory.
2. Identify the connector to use to secure the new keystore. A connector with port 443 or 8443 is typically used.
3. Remove any comment tags () that might be surrounding the connector.
4. Update the correct keystore filename and password in your connector configuration.
The following example represents a configured SSL Connector block.
```
<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
disableUploadTimeout="true" acceptCount="100" scheme="https"
secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS"
keyAlias="server" keystoreFile="/home/user_name/your_site_name.jks"
keystorePass="your_keystore_password" />
```
If your Tomcat version is prior to Tomcat 7, change keystorePass to keypass.
Save your server.xml file.
Restart Tomcat.

Microsoft Internet Information Services (IIS) 7.0

Create a CSR in IIS Manager and export it as .pem. The IIS Manager is located under Administrative Tools.
Order a CIS origin certificate using your CSR.
Copy the origin certificate to the desktop of your server.
Open IIS Manager and select your server's hostname under Connections.
Select Server Certificates from the IIS section in the center menu.
Select the action Complete Certificate Request from the Actions menu. On the Specify Certificate Authority Response page under File name containing the certification authority's response, click ... to browse to the .cer certificate file that was copied to the desktop, select the file, and click Open.
Enter a friendly name for the certificate. The friendly name identifies the certificate.
Select OK to finish the certificate installation to your server.
Bind the certificate to your website. Select your website by expanding Sites under your server's name in the menu under Connections in the IIS Manager. Select Bindings under Edit Site from the Actions menu. Select Add from the Site Bindings window and submit the following information.
```
Type              https
IP Address        All Unassigned
Port              443
SSL Certificate   your_cert_friendly_name
```
Your website is now configured to accept secure connections.

Microsoft Internet Information Services (IIS) 8.0 and 8.5

Create a CSR in IIS Manager and export it as .pem. The IIS Manager is located under Administrative Tools.
Order a CIS origin certificate using your CSR.
Copy the origin certificate to the desktop of your server.
Open IIS Manager and select your server's hostname under Connections.
Select Server Certificates from the IIS section in the center menu.
Select the action Complete Certificate Request from the Actions menu. On the Specify Certificate Authority Response page under File name containing the certification authority's response, click ... to browse to the .cer certificate file that was copied to the desktop, select the file, and click Open.
Enter a friendly name for the certificate. The friendly name identifies the certificate.
Select OK to finish the certificate installation to your server.
Bind the certificate to your website. Select your website by expanding Sites under your server's name in the menu under Connections in the IIS Manager. Select Bindings under Edit Site from the Actions menu. Select Add from the Site Bindings window and submit the following information.
```
Type              https
IP Address        All Unassigned
Port              443
SSL Certificate   your_cert_friendly_name
```
Optionally, configure your SSL certificate to use Server Name Indication (SNI) if you have multiple sites using SSL bound to the same IP address. Select the Require Server Name Indication box.
Your website is now configured to accept secure connections.

Certificate chains

In some cases, origin web servers require the upload of the certificate chain. Use these links to download either an ECC or an RSA version, and then upload the certificate chain to your origin web server.

Revoking an origin certificate

Delete your CIS origin certificate. This process cannot be undone.