Install a Purchased SSL/TLS Certificate

This section explains how to install purchased SSL/TLS certificates into Clarity LIMS v5 and later.

Clarity LIMS can work with Named or WildCard certificates.

Typically, the process to install the certificates into Clarity LIMS is as follows:

  1. Request a certificate from your IT organization, or purchase a certificate from a third-party SSL/TLS vendor.

  2. Install the certificate using the script installCertificates.sh provided with Clarity LIMS. This script prompts for the required inputs and helps you to configure Clarity LIMS to use your SSL/TLS certificate.

Some IT organizations have preexisting certificates issued by an internal organization, typically referred to as an 'internal CA.' These internal CA certificates are not fully compatible with Java, and prevent the automation worker—and all integrations—from properly communicating with the Clarity LIMS server. Internal CA certificates are therefore not supported in Clarity LIMS.

Obtaining the Certificate

You will need your organization or the third-party SSL/TLS vendor to provide you with the following:

  • An Apache 2.4-compatible SSL/TLS Certificate

  • The Certificate private key

  • The corresponding certificate chain, properly prepared for Apache 2.4. This component may not be required, depending on the organization that signs your certificate.

Your IT organization might provide you with a WildCard certificate. Clarity LIMS can use WildCard certificates, as long as the Apache 2.4-compatible certificate, private key, and certificate chain files are provided.

If purchasing from a third-party vendor, make sure that the vendor provides you with an Apache 2.4-compatible bundle that includes the components listed above. To purchase from a vendor, refer to their documentation.

Private key password considerations

By default, a private key has a password associated with it. On startup, Apache requests a passphrase to access the private key. You can use either of the following methods to resolve this issue:

Method 1 — Place a passphrase file on the system and reference it in your clarity.conf file.

  1. Create a passphrase file in a directory that has read, write, and execute permissions for only the root or apache user.

    #! /bin/bash 
    echo "privatekeypassword"
  2. Edit the clarity.conf file. The clarity.conf file is in the /etc/httpd/conf.d directory.

    Add the following line to your clarity.conf file, before the section:

    SSLPassPhraseDialog exec:/path/to/passphrase-script 

Method 2: Removing passphrase from an OpenSSL key

Removing the passphrase from an OpenSSL key is a security risk. Only remove the passphrase if you know that this risk is acceptable.

  • Remove the password from an OpenSSL key using the following command:

    Copy

    % openssl rsa -in private.key -out private_nopassphrase.key     

Install SSL/TLS Certificates for Use with Clarity LIMS

Assumptions and Prerequisites

  • You have installed BaseSpace Clarity LIMS and run the 40_install_proxy.sh script.

  • You have OpenSSL (installed by default on the Clarity LIMS Linux server when you install Clarity LIMS). OpenSSL is used by the installCertificates.sh script.

  • You have the files listed in the following table (obtained from the process described previously) available on the Clarity LIMS server. In the example shown below, these files are located at /tmp/certs.

File description
Example file name (used in examples below)

Apache private key

private.key

Signed SSL/TLS Certificate

customer_domain.crt

Intermediate chain file (optional)

intermediate.crt

Install the signed SSL/TLS Certificates

On the Clarity LIMS server, as the root user, run the installCertificates.sh script:

[root@doclarity04 ~]# cd /opt/gls/clarity/config/
[root@doclarity04 config]# bash installCertificates.sh
Java KeyTool detected
    This script will prompt you to supply the required SSL Certificates for your ClarityLIMS server.
    These files include:
    - A private key file and signed Certificate file for use by apache.
    - Optionally, depending on the organization that signs your Certificate, you may receive a 'Chain' file.
Enter the full path to the SSL Private Key for your server:/tmp/certs/private.key
Enter the full path to the Apache Certificate for your server - This is the Certificate signed by the SSL Vendor or Certificate Authority:/tmp/certs/customer_domain.crt
Enter the full path to the SSL Vendor Chain file:/tmp/certs/intermediate.crt
INFO: Testing Apache
Syntax OK
Apache Proxy is ready 

Last updated