By default, the Security Server UI/API has a self-signed TLS certificate (number 4 in this article) that's automatically generated during the Security Server installation process. Changing the certificate and/or recreating the private key is not possible through the Security Server UI. Instead, both operations require shell access to the Security Server.
The Security Server UI certificate can be changed by following the steps described below.
First, take backup copies of the files listed below:
sudo cp -a /etc/xroad/ssl/proxy-ui-api.key /etc/xroad/ssl/proxy-ui-api.key.bak sudo cp -a /etc/xroad/ssl/proxy-ui-api.crt /etc/xroad/ssl/proxy-ui-api.crt.bak sudo cp -a /etc/xroad/ssl/proxy-ui-api.p12 /etc/xroad/ssl/proxy-ui-api.p12.bak |
Update the file permissions so that the backup copies are owned by xroad
user:
sudo chown -f xroad:xroad /etc/xroad/ssl/*.bak |
Generate a new private key and certificate signing request (CSR) by running the command:
openssl req -x509 -newkey rsa:2048 -keyout proxy-ui-api-new.key -out proxy-ui-api-new.crt -days 365 -nodes |
Enter your CSR details.
Locate and open the newly created CSR (/etc/xroad/ssl/proxy-ui-api-new.crt
) in a text editor and copy all the text including:
-----BEGIN CERTIFICATE REQUEST----- And -----END CERTIFICATE REQUEST----- |
Paste the contents of the CSR file in a local text file on your workstation.
Purchase TSL/SSL certficate from a trusted Certificate Authority (CA) using the CSR file.
Once the CA has issued the certificate, rename the certificate file to proxy-ui-api-new.crt
, and copy it to /etc/xroad/ssl/
directory on the Security Server.
Replace the old key and certificate files with the new ones:
sudo mv /etc/xroad/ssl/proxy-ui-api-new.key /etc/xroad/ssl/proxy-ui-api.key sudo mv /etc/xroad/ssl/proxy-ui-api-new.crt /etc/xroad/ssl/proxy-ui-api.crt |
Create a PKCS#12 container (/etc/xroad/ssl/proxy-ui-api.p12
) that includes the new key and certificate.
sudo openssl pkcs12 -export -in /etc/xroad/ssl/proxy-ui-api.crt -inkey /etc/xroad/ssl/proxy-ui-api.key -name proxy-ui-api -out /etc/xroad/ssl/proxy-ui-api.p12 -passout pass:proxy-ui-api |
Update the file permissions.
sudo chmod -f 660 /etc/xroad/ssl/proxy-ui-api.key /etc/xroad/ssl/proxy-ui-api.crt /etc/xroad/ssl/proxy-ui-api.p12 sudo chown -f xroad:xroad /etc/xroad/ssl/proxy-ui-api.key /etc/xroad/ssl/proxy-ui-api.crt /etc/xroad/ssl/proxy-ui-api.p12 |
Restart the xroad-proxy-ui-api
service.
sudo systemctl restart xroad-proxy-ui-api |
Check that the proxy UI API log (/var/log/xroad/proxy_ui_api.log
) doesn't contain any TLS related errors.
In case something goes wrong, restore the original files, and restart the xroad-proxy-ui-api
service.
Related articles appear here based on the labels you select. Click to edit the macro and add or change labels.
|