Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The Security Server UI certificate can be changed by following the steps described below.

  1. First, take backup copies of the files listed below:

    Code Block
    languagebash
    sudo cp -a /etc/xroad/ssl/proxy-ui-api.key /etc/xroad/ssl/proxy-ui-api.key.bak
    sudo cp -a /etc/xroad/ssl/proxy-ui-api.crt /etc/xroad/ssl/proxy-ui-api.crt.bak
    sudo cp -a /etc/xroad/ssl/proxy-ui-api.p12 /etc/xroad/ssl/proxy-ui-api.p12.bak
  2. Update the file permissions so that the backup copies are owned by xroad user:

    Code Block
    languagebash
    sudo chown -f xroad:xroad /etc/xroad/ssl/*.bak
  3. Generate a new private key and certificate signing request (CSR) by running the command:

    Code Block
    languagebash
    openssl req -x509 -newkey rsa:2048 -keyout proxy-ui-api-new.key -out proxy-ui-api-new.crt -days 365 -nodes
  4. Enter your CSR details.

  5. Locate and open the newly created CSR (/etc/xroad/ssl/proxy-ui-api-new.crt) in a text editor and copy all the text including:

    Code Block
    -----BEGIN CERTIFICATE REQUEST-----
    And
    -----END CERTIFICATE REQUEST-----
  6. Paste the contents of the CSR file in a local text file on your workstation.

  7. Purchase TSL/SSL certficate from a trusted Certificate Authority (CA) using the CSR file.

  8. Once the CA has issued the certificate, rename the certificate file to proxy-ui-api-new.crt, and copy it to /etc/xroad/ssl/ directory on the Security Server.

  9. Replace the old key and certificate files with the new ones:

    Code Block
    languagebash
    sudo mv /etc/xroad/ssl/proxy-ui-api-new.key /etc/xroad/ssl/proxy-ui-api.key
    sudo mv /etc/xroad/ssl/proxy-ui-api-new.crt /etc/xroad/ssl/proxy-ui-api.crt
  10. Create a PKCS#12 container (/etc/xroad/ssl/proxy-ui-api.p12) that includes the new key and certificate.

    Code Block
    languagebash
    sudo openssl pkcs12 -export -in /etc/xroad/ssl/proxy-ui-api.crt -inkey /etc/xroad/ssl/proxy-ui-api.key -name proxy-ui-api -out /etc/xroad/ssl/proxy-ui-api.p12 -passout pass:proxy-ui-api
  11. Update the file permissions.

    Code Block
    languagebash
    sudo chmod -f 660 /etc/xroad/ssl/proxy-ui-api.key /etc/xroad/ssl/proxy-ui-api.crt /etc/xroad/ssl/proxy-ui-api.p12
    sudo chown -f xroad:xroad /etc/xroad/ssl/proxy-ui-api.key /etc/xroad/ssl/proxy-ui-api.crt /etc/xroad/ssl/proxy-ui-api.p12
  12. Restart the xroad-proxy-ui-api service.

    Code Block
    languagebash
    sudo systemctl restart xroad-proxy-ui-api
  13. Check that the proxy UI API log (/var/log/xroad/proxy_ui_api.log) doesn't contain any TLS related errors.

  14. In case something goes wrong, restore the original files, and restart the xroad-proxy-ui-api service.

Filter by label (Content by label)
showLabelsfalse
max5
spacesXRDKB
sortmodified
showSpacefalse
reversetrue
typepage
cqllabel = "kb-how-to-article" and type = "page" and space = "XRDKB"
labelskb-how-to-article

...