How to Replace the Security Server Internal TLS Key and Certificate?
By default, the Security Server internal TLS key and certificate (number 3 in this article) are automatically generated during the Security Server installation process. The internal TLS key and certificate can be manually recreated using the Security Server UI. However, importing an existing key and certificate is not possible through the Security Server UI. Instead, importing requires shell access to the Security Server.
Step-by-step guide
An existing key and certificate can be imported by following the steps described below.
Take backup copies of the files listed below:
cp -a /etc/xroad/ssl/internal.key /etc/xroad/ssl/internal.key.bak cp -a /etc/xroad/ssl/internal.crt /etc/xroad/ssl/internal.crt.bak cp -a /etc/xroad/ssl/internal.p12 /etc/xroad/ssl/internal.p12.bak
- Replace "internal.key" and "internal.crt" with the files you want to import.
Create a PKCS#12 container that includes the new key and certificate.
openssl pkcs12 -export -in /etc/xroad/ssl/internal.crt -inkey /etc/xroad/ssl/internal.key -name "internal" -out /etc/xroad/ssl/internal.p12 -passout pass:internal
Restart the "xroad-proxy" and "xroad-proxy-ui-api" services.
systemctl restart xroad-proxy systemctl restart xroad-proxy-ui-api
Print the checksum of the certificate to the console.
openssl x509 -in /etc/xroad/ssl/internal.crt -sha1 -noout -fingerprint SHA1 Fingerprint=0C:F2:B1:EF:DA:A4:2D:A8:E6:D9:56:AA:F1:2D:C9:B1:A2:5F:91:0E
- Check from the Security Server UI that Keys and Certificates - Security Server TLS Key view shows the same checksum.
- Check that the "/var/log/xroad/proxy.log" and "/var/log/xroad/proxy_ui_api.log" log files do not contain any internal TLS key/certificate related errors.
- In case something goes wrong, restore the original files, and restart the "xroad-proxy" and "xroad-proxy-ui-api" services.
Related articles