Philterd

Talk to the Team

Tell us about your stack and the privacy problems you're trying to solve. We typically respond within one business day.

Prefer email? support@philterd.ai

Prefer to skip the form? Pick a time on our calendar →
or send a message

Please do not enter PII or PHI in this form. If you need to share an example, use a sanitized one.

Reference and how-to

How to Use a Signed SSL Certificate with Philter

How to replace Philter's default self-signed SSL certificate with a signed certificate from a trusted authority, using a Java keystore.

When Philter is deployed via the AWS Marketplace, Microsoft Azure Marketplace, or another third-party cloud marketplace, SSL will already be enabled via a self-signed certificate. It is recommended you replace this self-signed certificate with a valid certificate issued to your organization by a trusted authority. The instructions for how to do this are described below.

First, create a private key and a certificate signing request (CSR) for Philter on your domain. In this walkthrough we are using the domain philter.yourdomain.com as an example.

openssl req -new -newkey rsa:2048 -nodes -keyout philter_yourdomain_com.key -out philter_youdomain_com.csr

Submit the CSR to your SSL certificate vendor of choice and complete the SSL certificate ordering process. If prompted for a web server during the process, select Apache or Nginx. Once the process is complete and the certificate is issued you will receive a few files. The files you will need are summarized in the table below. The file names may vary and you may also receive other files as well.

File NameDescriptionCreator
philter_yourdomain_com.csrCertificate signing requestCreated by you
philter_yourdomain_com.keyCertificate private keyCreated by you
philter_yourdomain_com.ca-bundleIntermediate certificates provided by the issuing authorityReceived from SSL authority
philter_yourdomain_com.crtThe SSL certificate for philter.yourdomain.comReceived from SSL authority

When prompted for a keystore password we will use changeit. It is recommended you use a more secure password.

The first thing to do is to convert the certificate and the private key to PKCS12 format in philter.p12:

openssl pkcs12 -export -in philter_yourdomain_com.crt -inkey philter_yourdomain_com.key -name philter -out philter.p12

Now import the P12 file into a keystore philter.jks:

keytool -importkeystore -deststorepass changeit -destkeystore philter.jks -srckeystore philter.p12 -srcstoretype PKCS12

Add the intermediate certificate provided by the issuing authority to the keystore:

keytool -import -alias intermediate -trustcacerts -file philter_yourdomain.com.ca-bundle -keystore philter.jks

Update Philter’s settings in application.properties:

# SSL certificate settings
server.ssl.key-store-type=JKS
server.ssl.key-store=/path/to/philter.jks
server.ssl.key-store-password=changeit
server.ssl.key-alias=philter

Restart Philter:

sudo systemctl restart philter

Execute an API status request to verify Philter is running as expected. With the -v option we can see the details of the SSL certificate:

curl -v https://philter.yourdomain.com:8080/api/status

Look in the response for details of the certificate. Our domain was philter.yourdomain.com:

* Server certificate:
*  subject: CN=philter.yourdomain.com
*  start date: Apr 21 00:00:00 2020 GMT
*  expire date: Apr 21 23:59:59 2021 GMT
*  subjectAltName: host "philter.yourdomain.com" matched cert's "philter.yourdomain.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify ok.

Related reading