How to Change the Security Server UI/API TLS Certificate?

By default, the Security Server UI/API has a self-signed TLS certificate (number 4 in this article) that's automatically generated during the Security Server installation process. Changing the certificate and/or recreating the private key is not possible through the Security Server UI. Instead, both operations require shell access to the Security Server.

Step-by-step guide

The Security Server UI certificate can be changed by following the steps described below.

1. First, take backup copies of the files listed below:

   cp -a /etc/xroad/ssl/proxy-ui-api.key /etc/xroad/ssl/proxy-ui-api.key.bak
   cp -a /etc/xroad/ssl/proxy-ui-api.crt /etc/xroad/ssl/proxy-ui-api.crt.bak
   cp -a /etc/xroad/ssl/proxy-ui-api.p12 /etc/xroad/ssl/proxy-ui-api.p12.bak

2. Generate a new private key and certificate signing request (CSR) by running the command:

   openssl req -x509 -newkey rsa:2048 -keyout proxy-ui-api-new.key -out proxy-ui-api-new.crt -days 365 -nodes

3. Enter your CSR details.

4. Locate and open the newly created CSR (/etc/xroad/ssl/proxy-ui-api-new.crt) in a text editor and copy all the text including:

   -----BEGIN CERTIFICATE REQUEST-----
   And
   -----END CERTIFICATE REQUEST-----

5. Paste the contents of the CSR file in a local text file on your workstation.

6. Purchase TSL/SSL certficate from a trusted Certificate Authority (CA) using the CSR file.

7. Once the CA has issued the certificate, rename the certificate file to proxy-ui-api-new.crt, and copy it to /etc/xroad/ssl/ directory on the Security Server.

8. Replace the old key and certificate files with the new ones:

   mv /etc/xroad/ssl/proxy-ui-api-new.key /etc/xroad/ssl/proxy-ui-api.key
   mv /etc/xroad/ssl/proxy-ui-api-new.crt /etc/xroad/ssl/proxy-ui-api.crt

9. Create a PKCS#12 container (/etc/xroad/ssl/proxy-ui-api.p12) that includes the new key and certificate.

   openssl pkcs12 -export -in /etc/xroad/ssl/proxy-ui-api.crt -inkey /etc/xroad/ssl/proxy-ui-api.key -name proxy-ui-api -out /etc/xroad/ssl/proxy-ui-api.p12 -passout pass:proxy-ui-api

10. Update the file permissions.

    chmod -f 660 /etc/xroad/ssl/proxy-ui-api.key /etc/xroad/ssl/proxy-ui-api.crt /etc/xroad/ssl/proxy-ui-api.p12
    chown -f xroad:xroad /etc/xroad/ssl/proxy-ui-api.key /etc/xroad/ssl/proxy-ui-api.crt /etc/xroad/ssl/proxy-ui-api.p12

11. Restart the xroad-proxy-ui-api service.

    systemctl restart xroad-proxy-ui-api

12. Check that the proxy UI API log (/var/log/xroad/proxy_ui_api.log) doesn't contain any TLS related errors.

13. In case something goes wrong, restore the original files, and restart the xroad-proxy-ui-api service.

Related articles

• Page:
  Security Server Cluster Ubuntu 22.04 to 24.04 Upgrade.
• Page:
  How to Upgrade Security Server to Ubuntu 24.04 Using a Configuration Backup?
• Page:
  Security Server Ubuntu 22.04 to 24.04 In-place Upgrade.
• Page:
  What Are the Technical Requirements for Trust Service Providers?
• Page:
  How to Upgrade a Central Server to Ubuntu 24.04 Using a Configuration Backup?