How to Change the Security Server UI/API TLS Certificate?
By default, the Security Server UI/API has a self-signed TLS certificate (number 4 in this article) that's automatically generated during the Security Server installation process. Changing the certificate and/or recreating the private key is not possible through the Security Server UI. Instead, both operations require shell access to the Security Server.
Step-by-step guide
The Security Server UI certificate can be changed by following the steps described below.
First, take backup copies of the files listed below:
sudo cp -a /etc/xroad/ssl/proxy-ui-api.key /etc/xroad/ssl/proxy-ui-api.key.bak sudo cp -a /etc/xroad/ssl/proxy-ui-api.crt /etc/xroad/ssl/proxy-ui-api.crt.bak sudo cp -a /etc/xroad/ssl/proxy-ui-api.p12 /etc/xroad/ssl/proxy-ui-api.p12.bakUpdate the file permissions so that the backup copies are owned by
xroaduser:sudo chown -f xroad:xroad /etc/xroad/ssl/*.bakGenerate a new private key and certificate signing request (CSR) by running the command:
openssl req -x509 -newkey rsa:2048 -keyout proxy-ui-api-new.key -out proxy-ui-api-new.crt -days 365 -nodesEnter your CSR details.
Locate and open the newly created CSR (
/etc/xroad/ssl/proxy-ui-api-new.crt) in a text editor and copy all the text including:Paste the contents of the CSR file in a local text file on your workstation.
Purchase TSL/SSL certficate from a trusted Certificate Authority (CA) using the CSR file.
Once the CA has issued the certificate, rename the certificate file to
proxy-ui-api-new.crt, and copy it to/etc/xroad/ssl/directory on the Security Server.Replace the old key and certificate files with the new ones:
Create a PKCS#12 container (
/etc/xroad/ssl/proxy-ui-api.p12) that includes the new key and certificate.Update the file permissions.
Restart the
xroad-proxy-ui-apiservice.Check that the proxy UI API log (
/var/log/xroad/proxy_ui_api.log) doesn't contain any TLS related errors.In case something goes wrong, restore the original files, and restart the
xroad-proxy-ui-apiservice.