VOSS-4-UC Setup a Web Certificate

The VOSS-4-UC platform generates a 4096 bit RSA private key file, using the details stored when using the web cert details edit command, along with a Certificate Signing Request (.csr) file.

Repeat the steps below for each proxy that requires signed SSL certificates:

  1. Check the current certificate details with web cert details. Initially, the User set details is Unset. For example:

    platform@host:~$ web cert details
        Issuer data:
            C: SA
            L: DeviceAPI
            O: Platform
            ST: WP
        Key data:
            C: SA
            L: DeviceAPI
            O: Platform
            ST: WP
        User set details: Unset
  2. Run web cert details edit if needed to edit the details displayed from the server. For example:

    platform@host:~$ web cert details edit
    Country Name (2 letter code): C:IE
    State or Province Name (full name): ST:Dublin
    Locality Name (eg, city): L:Dublin
    Organization Name (eg, company): O:DublinSolutions Ltd.
    Organizational Unit Name (eg, section): OU:R&D
    Common Name (e.g. server FQDN or IP): CN:dublinsolutions.com
    Email Address: platform@dublinsolutions.com
    details stored

    Verify the edits by running web cert details after editing. For changes, the Issuer details will then not match the User set details.

  3. Run web cert gen_csr to generate the Certification Signing Request (.csr) file media/cert_sign_req.csr for signing.

    For example:

    platform@host:~$ web cert gen_csr
    Please send the above or the actual file /opt/platform/admin/home/media/cert_sign_req.csr to a CA to be signed
    platform@host:~$ ls -la media/cert_sign_req.csr
    -rw-rw-rw- 1 root platform 1789 Jan 18 11:20 media/cert_sign_req.csr
  4. Use scp on a remote workstation to copy the file off the VOSS-4-UC platform media/ directory and send it to a Certificate Authority (CA). Request a PEM format file to be returned.

    The returned file received from the CA should be a PEM certificate file. PEM certificates typically have extensions like .pem, .crt, .cer and .key.

    • If you did not receive a combined certificate from the CA, concatenate the reply signed cert and the reply intermediate CA cert into a file.

      The signed certificate must be first in the concatenated file.

      The PEM must have the correct form of line termination: a single “Line Feed” character. If your PEM file was saved on MS Windows, be sure to remove the ^M characters from the file, for example in a Linux console with: $ tr -d ‘r’ < original.pem > fixed.pem

    • If the received file is a .p7b file, it should be converted to a PEM format - refer to the topic: Convert Web Certificates from P7B to PEM Format.

    • If the received file is in another format, carry out the required conversion. For example, when a received .crt file is opened and is not in the correct format in MS Windows, it may show a message on MS Windows Certificate panel: “Windows does not have enough information to verify the certificate”. Choose the Details tab of the panel, select Copy to File… to open the Export Wizard. Choose Base-64 encoded as export format.

  5. Upload the PEM file to the proxy using sftp or scp. The file will be added to the media/ directory, for example: media/cert.pem.

  6. Once the file is uploaded, run web cert add <filename of uploaded file>. This command will combine the key and PEM file, and present it to nginx to use for secure (SSL) web communication. For example:

    platform@host:~$ web cert add media/cert.pem
    Updating the certificate requires the web server to be restarted.
    Do you wish to continue? yes
    Restarting nginx