How to Replace the Security Server Internal TLS Key and Certificate?

By default, the Security Server internal TLS key and certificate (number 3 in this article) are automatically generated during the Security Server installation process. The internal TLS key and certificate can be manually recreated using the Security Server UI. However, importing an existing key and certificate is not possible through the Security Server UI. Instead, importing requires shell access to the Security Server.

Step-by-step guide

An existing key and certificate can be imported by following the steps described below.

  1. Take backup copies of the files listed below:

    cp -a /etc/xroad/ssl/internal.key /etc/xroad/ssl/internal.key.bak
    cp -a /etc/xroad/ssl/internal.crt /etc/xroad/ssl/internal.crt.bak
    cp -a /etc/xroad/ssl/internal.p12 /etc/xroad/ssl/internal.p12.bak
  2. Replace "internal.key" and "internal.crt" with the files you want to import.
  3. Create a PKCS#12 container that includes the new key and certificate.

    openssl pkcs12 -export -in /etc/xroad/ssl/internal.crt -inkey /etc/xroad/ssl/internal.key -name "internal" -out /etc/xroad/ssl/internal.p12 -passout pass:internal
  4. Restart the "xroad-proxy" and "xroad-proxy-ui-api" services.

    systemctl restart xroad-proxy
    systemctl restart xroad-proxy-ui-api
  5. Print the checksum of the certificate to the console.

    openssl x509 -in /etc/xroad/ssl/internal.crt -sha1 -noout -fingerprint
    SHA1 Fingerprint=0C:F2:B1:EF:DA:A4:2D:A8:E6:D9:56:AA:F1:2D:C9:B1:A2:5F:91:0E
  6. Check from the Security Server UI that Keys and Certificates - Security Server TLS Key view shows the same checksum.
  7. Check that the "/var/log/xroad/proxy.log" and "/var/log/xroad/proxy_ui_api.log" log files do not contain any internal TLS key/certificate related errors.
  8. In case something goes wrong, restore the original files, and restart the "xroad-proxy" and "xroad-proxy-ui-api" services.