/
How to Change the Security Server UI/API TLS Certificate?

How to Change the Security Server UI/API TLS Certificate?

By default, the Security Server UI/API has a self-signed TLS certificate (number 4 in this article) that's automatically generated during the Security Server installation process. Changing the certificate and/or recreating the private key is not possible through the Security Server UI. Instead, both operations require shell access to the Security Server.

Step-by-step guide

The Security Server UI certificate can be changed by following the steps described below.

  1. First, take backup copies of the files listed below:

    sudo cp -a /etc/xroad/ssl/proxy-ui-api.key /etc/xroad/ssl/proxy-ui-api.key.bak sudo cp -a /etc/xroad/ssl/proxy-ui-api.crt /etc/xroad/ssl/proxy-ui-api.crt.bak sudo cp -a /etc/xroad/ssl/proxy-ui-api.p12 /etc/xroad/ssl/proxy-ui-api.p12.bak
  2. Update the file permissions so that the backup copies are owned by xroad user:

    sudo chown -f xroad:xroad /etc/xroad/ssl/*.bak
  3. Generate a new private key and certificate signing request (CSR) by running the command:

    openssl req -x509 -newkey rsa:2048 -keyout proxy-ui-api-new.key -out proxy-ui-api-new.crt -days 365 -nodes
  4. Enter your CSR details.

  5. Locate and open the newly created CSR (/etc/xroad/ssl/proxy-ui-api-new.crt) in a text editor and copy all the text including:

  6. Paste the contents of the CSR file in a local text file on your workstation.

  7. Purchase TSL/SSL certficate from a trusted Certificate Authority (CA) using the CSR file.

  8. Once the CA has issued the certificate, rename the certificate file to proxy-ui-api-new.crt, and copy it to /etc/xroad/ssl/ directory on the Security Server.

  9. Replace the old key and certificate files with the new ones:

  10. Create a PKCS#12 container (/etc/xroad/ssl/proxy-ui-api.p12) that includes the new key and certificate.

  11. Update the file permissions.

  12. Restart the xroad-proxy-ui-api service.

  13. Check that the proxy UI API log (/var/log/xroad/proxy_ui_api.log) doesn't contain any TLS related errors.

  14. In case something goes wrong, restore the original files, and restart the xroad-proxy-ui-api service.

Related articles



Related content

What Is a Certificate Profile?
What Is a Certificate Profile?
Read with this
How to Replace the Security Server Internal TLS Key and Certificate?
How to Replace the Security Server Internal TLS Key and Certificate?
More like this
Where I Can Find the Management Service TLS Certificate?
Where I Can Find the Management Service TLS Certificate?
Read with this
Sending Authentication Certificate Registration Request from the Security Server to the Central Server Fails
Sending Authentication Certificate Registration Request from the Security Server to the Central Server Fails
More like this
How to Change the Security Server UI Port?
How to Change the Security Server UI Port?
More like this
What Kind of Keys and Certificates the Security Server Has?
What Kind of Keys and Certificates the Security Server Has?
More like this