Adding a Security Certificate to Your Website

Obtaining a security certificate from a Certificate Authority enables you to use https on your website hosted by CADES. Utilizing https maintains the confidentiality of the transferred information by using a set of encryption keys.

Additionally, this document will cover requirements for Firewall exceptions, cipher specifications, and HSTS preloading conditions.

Caveat: Auto SSL Creation for CADES VMs

In order to expedite ORNL's required compliance with DHS BOD 18-01 as many sites as possible were automatically adjusted to defaulting to HTTPS with a Let's Encrypt certificate.

Directive Overview

Pursuant to DHS BOD 18-01 all federal websites must be migrated to HTTPS. The prescribed implementation pattern is as follows


Part 1: Modifying the OpenStack Horizon Security Group

View the Instance Using Horizon

  1. Navigate to the Horizon web interface at
  2. Log in with your UCAMS credentials.
    • Domain: ornl
    • Username: Your three-letter UCAMS ID
    • Password: Your UCAMS password
  3. Navigate to ProjectComputeInstances.
  4. Click on the existing instance that hosts your web server if you'd like to review the settings.

If you have never launched a VM Instance before, check out the tutorial linked below before proceeding.

📖   How to: Launch a VM Instance

Add Rule for Secured TCP Traffic

When you originally set up your web server, the settings allowed incoming traffic on port 80. Now we need to allow secure traffic. Then we'll make sure the rule is properly assigned to your Instance.

  1. Navigate to ProjectComputeAccess & SecuritySecurity Groups.
  2. Find the existing Security Group that contains your http access rules and click Manage Rules on the right side of the screen.
  3. In the resulting window, click + Add Rule.
  4. In the resulting dialog, click the drop-down field under Rule.
  5. Choose the HTTPS rule template from the drop-down list.
    • Choosing the HTTPS template will automatically set the port to 443 and set the direction to Ingress.
  6. In the Remote box, choose CIDR (preferred) and leave the field as or enter the desired inter-domain range. See CIDR examples for more information.
  7. Click Add at the bottom of the dialog box to implement your custom rule.
  8. Confirm your new custom rule is displayed in the Manage Rules screen.

📖   More info: Security Groups

Add Rule to the Instance's Security Group

  1. Navigate to ProjectComputeInstances.
  2. On the right, click the down arrow (▾) next to Create Snapshot.
  3. Select Manage Security Groups.
  4. Click the + next to your new HTTPS rule to add it to your Instance.

Part 2: Obtaining the Security Certificate for your Site

The process of obtaining the SSL certificate is automated via the command line using Let's Encrypt and Certbot.

Access your VM via ssh.

  1. Open a Bash terminal.
  2. Execute ssh cades@
    • Replace with the IP address of your own Instance.
  3. You should now be connected to your VM Instance via SSH.

For more detailed information on connecting to your VM Instance using SSH, please see the SSH tutorials, linked below.

📖   How to: Access Your VM Instance Using SSH

For Windows users, we have developed a separate tutorial that walks you through connecting to your VM Instance using PuTTY's SSH client.

📖   How to: Access Your VM Instance Using PuTTY (Windows)

Installing Certbot for Ubuntu (see below for CentOS)

Certbot is an automated client that obtains and implements SSL certificates for your website.

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache

Installing Certbot for CentOS (see above for Ubuntu)

Certbot is an automated client that obtains and implements SSL certificates for your website.

chmod a+x certbot-auto
sudo ./path/to/certbot-auto certonly
sudo certbot --authenticator standalone --installer apache --pre-hook "apachectl -k stop" --post-hook "apachectl -k start"

Part 3: Updating Firewall Exception (for External-Facing Sites)

  1. Navigate to 
  2. Log in to the SAFER interface using your UCAMS credentials.
    • Username: Your three-letter UCAMS ID
    • Password: Your UCAMS password
  3. Click + New Request at the top left of the screen.
  4. On the resulting page, choose ORNL SAFER Request.
  5. In the resulting request dialog, we need to fill out the following fields:
    • Subject – A simple subject will do. We're going with VM web server.
    • Authorization – Set to None.
    • Change Request Justification – Provide the reason for your firewall exception.
    • Expires – Leave this blank to make this exception indefinite. Otherwise, choose a date for the exception to expire.
    • Source – The source IP or IP range (with CIDR notation if range) of the server for which you would like to make an exception. We're going to use the single IP address of our VM Instance,
    • Destination – For this example, we're going to make the source and the destination the same IP address,
    • Service – This can be formatted using the protocol/port (e.g., TCP/443) or you can choose from a list of common multi-port services in the drop-down menu. Please use TCP/443 as the secure traffic port.
    • Service Name – User-defined name of the rule. We're calling ours blackmesa_web.
  6. Once filled out, click Next to submit your request.

You will receive an e-mail confirmation of your request. You can also view the status of your exception request at any time by logging into the SAFER interface.

Part 4: Webserver configuration

Your webserver will need to be configured to do the following:

The exact details will vary between different web and application servers, but Mozilla provides a simple interactive tool that can help you get started:

Part 5: Certificate Auto-Renewal

Using a simple script we can automate the certificate renewal process. Although this certificate lasts for 90 days, running this cron job often will ensure your certificate stays up to date.

@weekly python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew

If you find that you need more guidance setting up automatic renewal, you can visit this site.