This section explains how to install purchased SSL/TLS certificates into Clarity LIMS v5 and later.
Clarity LIMS can work with Named or WildCard certificates.
Typically, the process to install the certificates into Clarity LIMS is as follows:
Request a certificate from your IT organization, or purchase a certificate from a third-party SSL/TLS vendor.
Install the certificate using the script installCertificates.sh provided with Clarity LIMS. This script prompts for the required inputs and helps you to configure Clarity LIMS to use your SSL/TLS certificate.
Some IT organizations have preexisting certificates issued by an internal organization, typically referred to as an 'internal CA.' These internal CA certificates are not fully compatible with Java, and prevent the automation worker—and all integrations—from properly communicating with the Clarity LIMS server. Internal CA certificates are therefore not supported in Clarity LIMS.
You will need your organization or the third-party SSL/TLS vendor to provide you with the following:
An Apache 2.4-compatible SSL/TLS Certificate
The Certificate private key
The corresponding certificate chain, properly prepared for Apache 2.4. This component may not be required, depending on the organization that signs your certificate.
Your IT organization might provide you with a WildCard certificate. Clarity LIMS can use WildCard certificates, as long as the Apache 2.4-compatible certificate, private key, and certificate chain files are provided.
If purchasing from a third-party vendor, make sure that the vendor provides you with an Apache 2.4-compatible bundle that includes the components listed above. To purchase from a vendor, refer to their documentation.
By default, a private key has a password associated with it. On startup, Apache requests a passphrase to access the private key. You can use either of the following methods to resolve this issue:
Method 1 — Place a passphrase file on the system and reference it in your clarity.conf file.
Create a passphrase file in a directory that has read, write, and execute permissions for only the root or apache user.
Edit the clarity.conf file. The clarity.conf file is in the /etc/httpd/conf.d directory.
Add the following line to your clarity.conf file, before the section:
Method 2: Removing passphrase from an OpenSSL key
Removing the passphrase from an OpenSSL key is a security risk. Only remove the passphrase if you know that this risk is acceptable.
Remove the password from an OpenSSL key using the following command:\
Assumptions and Prerequisites
You have installed BaseSpace Clarity LIMS and run the 40_install_proxy.sh script.
You have OpenSSL (installed by default on the Clarity LIMS Linux server when you install Clarity LIMS). OpenSSL is used by the installCertificates.sh script.
You have the files listed in the following table (obtained from the process described previously) available on the Clarity LIMS server. In the example shown below, these files are located at /tmp/certs.
On the Clarity LIMS server, as the root user, run the installCertificates.sh script:
File description
Example file name (used in examples below)
Apache private key
private.key
Signed SSL/TLS Certificate
customer_domain.crt
Intermediate chain file (optional)
intermediate.crt