Versions Compared

Version Old Version 4 New Version Current
Changes made by

Petteri Kivimäki

Petteri Kivimäki

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

By default, the Security Server internal TLS key and certificate (number 3 in this article) are automatically generated during the Security Server installation process. The internal TLS key and certificate can be manually recreated using the Security Server UI. However, importing an existing key and certificate is not possible through the Security Server UI. Instead, importing requires shell access to the Security Server.

...

An existing key and certificate can be imported by following the steps described below.

  1. Take backup copies of the files listed below:

    Code Block
    languagebash
    cp -a /etc/xroad/ssl/internal.key /etc/xroad/ssl/internal.key.bak
cp -a /etc/xroad/ssl/internal.crt /etc/xroad/ssl/internal.crt.bak
cp -a /etc/xroad/ssl/internal.p12 /etc/xroad/ssl/internal.p12.bak

  2. Replace

...

  1. internal.key

...

  1. and

...

  1. internal.crt

...

  1. with the files you want to import.

  2. Create a PKCS#12 container that includes the new key and certificate.

    Code Block
    languagebash
    openssl pkcs12 -export -in /etc/xroad/ssl/internal.crt -inkey /etc/xroad/ssl/internal.key -name "internal" -out /etc/xroad/ssl/internal.p12 -passout pass:internal

...

  2. Restart the 
...
  1. xroad-proxy
...
  1.  and 
...
  1. xroad-proxy-ui-api
...
  1.  services.
     Code Block
    languagebash
    systemctl restart xroad-proxy
systemctl restart xroad-proxy-ui-api
  2. Print the checksum of the certificate to the console.
     Code Block
    languagebash
    openssl x509 -in /etc/xroad/ssl/internal.crt -sha1 -noout -fingerprint
SHA1 Fingerprint=0C:F2:B1:EF:DA:A4:2D:A8:E6:D9:56:AA:F1:2D:C9:B1:A2:5F:91:0E
  3. Check from the Security Server UI that Keys and Certificates - Security Server TLS Key view shows the same checksum.
  4. Check that the 
...
  1. /var/log/xroad/proxy.log
...
  1.  and 
...
  1. /var/log/xroad/proxy_ui_api.log
...
  1.  log files do not contain any internal TLS key/certificate related errors.
  2. In case something goes wrong, restore the original files, and restart the 
...
  1. xroad-proxy
...
  1.  and 
...
  1. xroad-proxy-ui-api
...
  1.  services.
 Filter by label
showLabelsfalse
max5
spacesXRDKB
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel = "security-server" and type = "page" and space = "XRDKB"
labelssecurity-server
 Page Properties
hiddentrue
Related issues