The Data team uses an X.509 TLS certificate signed by the CCAO's domain controller to provide HTTPS for its internal server. This certificate occassionally needs to be manually renewed by an administrative or IT staff member. This guide walks through how to create/renew the certificate.
- Open the Certificate Manager app by pressing
Windows + R, then typingcertmgr.msc. - Click the arrow next to the Personal directory on the sidebar, then select the Certificates directory.
- Right-click the Certificates directory, then click All Tasks > Request New Certificate.
- Click Next, keep
Active Directory Enrollment Policyselected, then click Next again. - Under
Active Directory Enrollment Policy, selectCCAO EFSorCCAO WEB2, click the Details down arrow to the right of the policy, then click Properties. - On the General tab of the popup, make the friendly name the name of the server
datascience.cookcountyassessor.com. - Switch to the Subject tab, under the
Subject namefield, selectCommon nameand add a value ofdatascience.cookcountyassessor.com, then click the Add > button. - Repeat the process of adding
Subject namevalues for the following:Country: USState: IllinoisLocality: ChicagoEmail: Email of whoever is making the certOrganization: Cook County Assessor's OfficeOrganization unit: Data Department
- Under the
Alternative namefield, selectDNSand add a value ofdatascience.cookcountyassessor.com, then click the Add > button. - Switch to the Private Key tab. Under Key options, check the box
for
Make private key exportable. - Hit Apply in the bottom right of the popup. Then click Next to create the new certificate.
- Click Finish to return to the Certificate Manager. You should see your new certificate in the list.
Now that the certificate is created, we need to export it for NGINX. To do so:
- Right-click the newly created certificate, then click All Tasks > Export. Click Next.
- Select
Yes, export the private keyoption, then click Next. - Select
Export all extended propertiesthen click Next. - Select the
Passwordoption, enter an arbitrary strong password you'll remember, then click Next. - Select an export location and filename (the extension should be
.pfx), then click Next, then Finish to save the file.
NGINX expects separate certificate and key files, so we need to break up the
.pfx file we just made using some openssl options.
-
Move the exported
.pfxfile to the target/host server (usescpor a similar method). Be sure the directory you move it to is writeable. -
Run the following command to extract the private key:
openssl pkcs12 -in [yourfile.pfx] -nocerts -out temp.keyYou'll need to type the import password, which is the same password you used when exporting the
.pfxfile. You'll be prompted again to create a new password, this will be temporary and so can be something short. -
Run the following command to extract the certificate:
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out datascience.cookcountyassessor.com.crt -
Run the following command to decrypt the private key:
openssl rsa -in temp.key -out datascience.cookcountyassessor.com.key -
Remove the
temp.keyfile.
You now have a signed certificate and private key file for use with NGINX. All that's left to do is to install them in the appropriate directory and set the correct permissions.
- Move the
.keyand.crtfiles you just created to$NGINX_DIRECTORY/secrets. Where$NGINX_DIRECTORYis wherever the CCAO's nginx service is running. - Set the owner of the key and certificate files to root with the following
command:
sudo chown -r root:root $NGINX_DIRECTORY/secrets/* - Set the permissions of the key and cert files to read-only for user:
sudo chmod -r 600 $NGINX_DIRECTORY/secrets/* - Restart NGINX using
docker compose. In$NGINX_DIRECTORY:docker compose down docker compose up -d - Test the certificate by visiting RStudio. You should be able to click the certificate in the address bar and view the details you filled out earlier.