VOSS-4-UC Setup a Web Certificate¶
The VOSS-4-UC platform generates a 4096 bit RSA private key file, using the details stored when using the web cert details edit command, along with a Certificate Signing Request (.csr) file.
Repeat the steps below for each proxy that requires signed SSL certificates:
Check the current certificate details with web cert details. Initially, the
User set details
isUnset
. For example:platform@host:~$ web cert details Issuer data: C: SA CN: 11.120.11.100 L: DeviceAPI O: Platform ST: WP Key data: C: SA CN: 11.120.11.100 L: DeviceAPI O: Platform ST: WP User set details: Unset
Run web cert details edit if needed to edit the details displayed from the server. For example:
platform@host:~$ web cert details edit Country Name (2 letter code): C:IE State or Province Name (full name): ST:Dublin Locality Name (eg, city): L:Dublin Organization Name (eg, company): O:DublinSolutions Ltd. Organizational Unit Name (eg, section): OU:R&D Common Name (e.g. server FQDN or IP): CN:dublinsolutions.com Email Address: [email protected] details stored platform@host:~$
Verify the edits by running web cert details after editing. For changes, the Issuer details will then not match the User set details.
Run web cert gen_csr to generate the Certification Signing Request (.csr) file
media/cert_sign_req.csr
for signing.For example:
platform@host:~$ web cert gen_csr -----BEGIN CERTIFICATE REQUEST----- M88E8TCCAtrCAQAwgasxCzAJBgNVBAYTAlpBMQswCQYDVQQIDAJXUDERMA8GA1UE [...] IIDr1vrepZkFQr+XDah2L5g5v8bI -----END CERTIFICATE REQUEST----- ==================================================== Please send the above or the actual file /opt/platform/admin/home/media/cert_sign_req.csr to a CA to be signed platform@host:~$ ls -la media/cert_sign_req.csr -rw-rw-rw- 1 root platform 1789 Jan 18 11:20 media/cert_sign_req.csr
Use scp on a remote workstation to copy the file off the VOSS-4-UC platform
media/
directory and send it to a Certificate Authority (CA). Request a PEM format file to be returned.The returned file received from the CA should be a PEM certificate file. PEM certificates typically have extensions like
.pem
,.crt
,.cer
and.key
.If you did not receive a combined certificate from the CA, concatenate the reply signed cert and the reply intermediate CA cert into a file.
The signed certificate must be first in the concatenated file.
The PEM must have the correct form of line termination: a single “Line Feed” character. If your PEM file was saved on MS Windows, be sure to remove the ^M characters from the file, for example in a Linux console with: $ tr -d ‘r’ < original.pem > fixed.pem
If the received file is a
.p7b
file, it should be converted to a PEM format - refer to the topic: Convert Web Certificates from P7B to PEM Format.If the received file is in another format, carry out the required conversion. For example, when a received
.crt
file is opened and is not in the correct format in MS Windows, it may show a message on MS Windows Certificate panel: “Windows does not have enough information to verify the certificate”. Choose the Details tab of the panel, select Copy to File… to open the Export Wizard. Choose Base-64 encoded as export format.
Upload the PEM file to the proxy using sftp or scp. The file will be added to the
media/
directory, for example:media/cert.pem
.Once the file is uploaded, run web cert add <filename of uploaded file>. This command will combine the key and PEM file, and present it to nginx to use for secure (SSL) web communication. For example:
platform@host:~$ web cert add media/cert.pem Updating the certificate requires the web server to be restarted. Do you wish to continue? yes Restarting nginx platform@host:~$