How to Replace the Security Server Internal TLS Key and Certificate?

Owned by Petteri Kivimäki
Last updated: Jul 29, 2024
1 min read

By default, the Security Server internal TLS key and certificate (number 3 in this article) are automatically generated during the Security Server installation process. The internal TLS key and certificate can be manually recreated using the Security Server UI. However, importing an existing key and certificate is not possible through the Security Server UI. Instead, importing requires shell access to the Security Server.

Step-by-step guide

An existing key and certificate can be imported by following the steps described below.

  1. Take backup copies of the files listed below:

    cp -a /etc/xroad/ssl/internal.key /etc/xroad/ssl/internal.key.bak cp -a /etc/xroad/ssl/internal.crt /etc/xroad/ssl/internal.crt.bak cp -a /etc/xroad/ssl/internal.p12 /etc/xroad/ssl/internal.p12.bak

  2. Replace internal.key and internal.crt with the files you want to import.

  3. Create a PKCS#12 container that includes the new key and certificate.

    openssl pkcs12 -export -in /etc/xroad/ssl/internal.crt -inkey /etc/xroad/ssl/internal.key -name "internal" -out /etc/xroad/ssl/internal.p12 -passout pass:internal

  4. Restart the xroad-proxy and xroad-proxy-ui-api services.

    systemctl restart xroad-proxy systemctl restart xroad-proxy-ui-api

  5. Print the checksum of the certificate to the console.

  6. Check from the Security Server UI that Keys and Certificates - Security Server TLS Key view shows the same checksum.

  7. Check that the /var/log/xroad/proxy.log and /var/log/xroad/proxy_ui_api.log log files do not contain any internal TLS key/certificate related errors.

  8. In case something goes wrong, restore the original files, and restart the xroad-proxy and xroad-proxy-ui-api services.

Related articles

Â