...
First, take backup copies of the files listed below:
Code Block language bash cp -a /etc/xroad/ssl/proxy-ui-api.key /etc/xroad/ssl/proxy-ui-api.key.bak cp -a /etc/xroad/ssl/proxy-ui-api.crt /etc/xroad/ssl/proxy-ui-api.crt.bak cp -a /etc/xroad/ssl/proxy-ui-api.p12 /etc/xroad/ssl/proxy-ui-api.p12.bak
Generate a new private key and certificate signing request (CSR) by running the command:
Code Block language bash openssl req -x509 -newkey rsa:2048 -keyout proxy-ui-api-new.key -out proxy-ui-api-new.crt -days 365 -nodes
Enter your CSR details.
Locate and open the newly created CSR ("
/etc/xroad/ssl/proxy-ui-api-new.crt") in a text editor and copy all the text including:/etc/xroad/ssl/proxy-ui-api-new.crt
Code Block -----BEGIN CERTIFICATE REQUEST----- And -----END CERTIFICATE REQUEST-----
Paste the contents of the CSR file in a local text file on your workstation.
Purchase TSL/SSL certficate from a trusted Certificate Authority (CA) using the CSR file.
Once the CA has issued the certificate, rename the certificate file to "
proxy-ui-api-new.crt", and copy it to "/etc/xroad/ssl/" directory on the Security Server.Replace the old key and certificate files with the new ones:
Code Block language bash mv /etc/xroad/ssl/proxy-ui-api-new.key /etc/xroad/ssl/proxy-ui-api.key mv /etc/xroad/ssl/proxy-ui-api-new.crt /etc/xroad/ssl/proxy-ui-api.crt
Create a PKCS#12 container ("
/etc/xroad/ssl/proxy-ui-api.p12") that includes the new key and certificate.Code Block language bash openssl pkcs12 -export -in /etc/xroad/ssl/proxy-ui-api.crt -inkey /etc/xroad/ssl/proxy-ui-api.key -name proxy-ui-api -out /etc/xroad/ssl/proxy-ui-api.p12 -passout pass:proxy-ui-api
Update the file permissions.
Code Block language bash chmod -f 660 /etc/xroad/ssl/proxy-ui-api.key /etc/xroad/ssl/proxy-ui-api.crt /etc/xroad/ssl/proxy-ui-api.p12 chown -f xroad:xroad /etc/xroad/ssl/proxy-ui-api.key /etc/xroad/ssl/proxy-ui-api.crt /etc/xroad/ssl/proxy-ui-api.p12
Restart the "
xroad-proxy-ui-api" service.Code Block language bash systemctl restart xroad-proxy-ui-api
Check that the proxy UI API log ("
/var/log/xroad/proxy_ui_api.log") doesn't contain any TLS related errors.In case something goes wrong, restore the original files, and restart the "
xroad-proxy-ui-api" service.
Related articles
| Filter by label (Content by label) | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...