Install ADFS SSL Certificate

Shyju KanaprathLeave a comment

This site has a new home; please follow this link:
https://www.shyju.in/posts/Install-SSL-Certificate-for-ADFS-server/

  1. Install the SSL certificate in server and get the certificate Thumbprint.
  2. Run the below PowerShell command (change the thumbprint with yours)install it in ADFS. Use thumbprint with out spaces.
    Set-AdfsSslCertificate -Thumbprint ‘e5415105c8db76a659ea5ed23ac7d6fc8e9ebda8’

Odoo log rotate – on Windows

Shyju KanaprathLeave a comment

Don’t use this script if you can not afford a odoo service restart

Put the below script in a batch file and create a scheduled task in Windows Task Scheduler (preferably nighlty) to run it.

net stop odoo-server-12.0
move E:\odoo\logs\odoo.log E:\odoo\logs\odoo-%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%.log
net start odoo-server-12.0

forfiles /p "E:\odoo\logs" /s /d /m *.log -20 /c "cmd /c del @file"

Apache – Restrict/Block direct IP access

Shyju KanaprathLeave a comment

Under /etc/httpd/conf.d (RHEL based OS) create a new .conf file .Change the port and add SSL certificates and keys. All the request to IP will get a 403 Forbidden error and requests to sub.example.com will get severed from the directory /var/www/api.

Listen 9443

#All request to IP will be handled in this section
<VirtualHost _default_:9443>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/certs/apache-selfsigned.key
DocumentRoot /var/www/def
Redirect 403 /
UseCanonicalName Off
UserDir disabled
</VirtualHost>


#Name based requests 
<VirtualHost *:9443>
    DocumentRoot /var/www/api
    ServerName sub.example.com
    ServerAdmin admin@example.com
    SSLEngine on
    SSLCertificateFile /etc/httpd/certs/cert.pem
    SSLCertificateKeyFile /etc/httpd/certs/key.pem

    <Directory /var/www/api>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>

   ErrorLog /var/log/httpd/sub.example.com-error.log
   CustomLog /var/log/httpd/sub.example.com-access.log combined
</VirtualHost>

OpenSSL – Create a Self Signed Document Signing certificate based on an external CSR

Shyju KanaprathLeave a comment
  1. Install OpenSSL
    yum install openssl
  2. Edit /etc/pki/tls/openssl.cnf and change the [policy_match] and make all optional
  3. Create CA
    openssl req -new -x509 -days 365 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/certs/cacert.pem

Country Name (2 letter code) [XX]:AE
State or Province Name (full name) []:Dubai
Locality Name (eg, city) [Default City]:DSO
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server’s hostname) []:My Company CA
Email Address []:me@mycompany.com


4. Create index & serial file. Remove all lines from this if already exists.
touch /etc/pki/CA/index.txt
echo ‘1000’ > /etc/pki/CA/serial

If you don’t have a CSR run the commands below to create a certificate.

openssl req -utf8 -nameopt oneline,utf8 -new -key username_key.pem -out username_req.pem

openssl x509 -days 365 -CA /etc/pki/CA/cacert.pem -CAkey /etc/pki/CA/private/cakey.pem -CAserial /etc/pki/CA/serial -in username_req.pem -req -out username.pem

openssl pkcs12 -export -in username.pem -inkey username_key.pem -out username.p12

You can use this file(username.p12) to test digitally signing a pdf using acrobat reader.


If you have an external CSR and you want to supply a certificate using that CSR run the below command. Here the CSR file is “dsa_csr_ad.txt”

openssl ca -cert /etc/pki/CA/cacert.pem -keyfile /etc/pki/CA/private/cakey.pem -in dsa_csr_ad.txt -out shyju_cert_ad.pem

Self Signed certificates will always show at least one signature has problems. You have to manually trust it to show as valid.

OS Used : CentOS 7