VOSS-4-UC Setup a Web Certificate

The VOSS-4-UC platform generates a 4096 bit RSA private key file, using the details stored when using the web cert details edit command, along with a Certificate Signing Request (.csr) file.

Repeat the steps below for each proxy that requires signed SSL certificates:

  1. Check the current certificate details with web cert details. Initially, the User set details is Unset. For example:

    platform@host:~$ web cert details
        Issuer data:
            C: SA
            CN: 11.120.11.100
            L: DeviceAPI
            O: Platform
            ST: WP
        Key data:
            C: SA
            CN: 11.120.11.100
            L: DeviceAPI
            O: Platform
            ST: WP
        User set details: Unset
    
  2. Run web cert details edit if needed to edit the details displayed from the server. For example:

    platform@host:~$ web cert details edit
    Country Name (2 letter code): C:IE
    State or Province Name (full name): ST:Dublin
    Locality Name (eg, city): L:Dublin
    Organization Name (eg, company): O:DublinSolutions Ltd.
    Organizational Unit Name (eg, section): OU:R&D
    Common Name (e.g. server FQDN or IP): CN:dublinsolutions.com
    Email Address: [email protected]
    details stored
    platform@host:~$
    

    Verify the edits by running web cert details after editing. For changes, the Issuer details will then not match the User set details.

  3. Run web cert gen_csr to generate the Certification Signing Request (.csr) file media/cert_sign_req.csr for signing.

    For example:

    platform@host:~$ web cert gen_csr
    -----BEGIN CERTIFICATE REQUEST-----
    M88E8TCCAtrCAQAwgasxCzAJBgNVBAYTAlpBMQswCQYDVQQIDAJXUDERMA8GA1UE
    [...]
    IIDr1vrepZkFQr+XDah2L5g5v8bI
    -----END CERTIFICATE REQUEST-----
    
    ====================================================
    Please send the above or the actual file /opt/platform/admin/home/media/cert_sign_req.csr to a CA to be signed
    
    
    platform@host:~$ ls -la media/cert_sign_req.csr
    -rw-rw-rw- 1 root platform 1789 Jan 18 11:20 media/cert_sign_req.csr
    
  4. Use scp on a remote workstation to copy the file off the VOSS-4-UC platform media/ directory and send it to a Certificate Authority (CA). Request a PEM format file to be returned.

    The returned file received from the CA should be a PEM certificate file. PEM certificates typically have extensions like .pem, .crt, .cer and .key.

    • If you did not receive a combined certificate from the CA, concatenate the reply signed cert and the reply intermediate CA cert into a file.

      The signed certificate must be first in the concatenated file.

      The PEM must have the correct form of line termination: a single “Line Feed” character. If your PEM file was saved on MS Windows, be sure to remove the ^M characters from the file, for example in a Linux console with: $ tr -d ‘r’ < original.pem > fixed.pem

    • If the received file is a .p7b file, it should be converted to a PEM format - refer to the topic: Convert Web Certificates from P7B to PEM Format.

    • If the received file is in another format, carry out the required conversion. For example, when a received .crt file is opened and is not in the correct format in MS Windows, it may show a message on MS Windows Certificate panel: “Windows does not have enough information to verify the certificate”. Choose the Details tab of the panel, select Copy to File… to open the Export Wizard. Choose Base-64 encoded as export format.

  5. Upload the PEM file to the proxy using sftp or scp. The file will be added to the media/ directory, for example: media/cert.pem.

  6. Once the file is uploaded, run web cert add <filename of uploaded file>. This command will combine the key and PEM file, and present it to nginx to use for secure (SSL) web communication. For example:

    platform@host:~$ web cert add media/cert.pem
    Updating the certificate requires the web server to be restarted.
    Do you wish to continue? yes
    Restarting nginx
    platform@host:~$