.. _set_up_a_web_certificate: VOSS Automate Setup a Web Certificate --------------------------------------- .. index:: web;web cert The VOSS Automate platform generates a 4096 bit RSA private key file, using the details stored when using the **web cert details edit** command, along with a Certificate Signing Request (.csr) file. Repeat the steps below for each proxy that requires signed SSL certificates: 1. Check the current certificate details with **web cert details**. Initially, the ``User set details`` is ``Unset``. For example: :: platform@host:~$ web cert details Issuer data: C: SA CN: 11.120.11.100 L: DeviceAPI O: Platform ST: WP Key data: C: SA CN: 11.120.11.100 L: DeviceAPI O: Platform ST: WP User set details: Unset #. Run **web cert details edit** if needed to edit the details displayed from the server. For example: :: platform@host:~$ web cert details edit Country Name (2 letter code): C:IE State or Province Name (full name): ST:Dublin Locality Name (eg, city): L:Dublin Organization Name (eg, company): O:DublinSolutions Ltd. Organizational Unit Name (eg, section): OU:R&D Common Name (e.g. server FQDN or IP): CN:dublinsolutions.com Email Address: platform@dublinsolutions.com details stored platform@host:~$ Verify the edits by running **web cert details** after editing. For changes, the Issuer details will then not match the User set details. #. Run **web cert gen_csr** to generate the Certification Signing Request (.csr) file ``media/cert_sign_req.csr`` for signing. For example: :: platform@host:~$ web cert gen_csr -----BEGIN CERTIFICATE REQUEST----- M88E8TCCAtrCAQAwgasxCzAJBgNVBAYTAlpBMQswCQYDVQQIDAJXUDERMA8GA1UE [...] IIDr1vrepZkFQr+XDah2L5g5v8bI -----END CERTIFICATE REQUEST----- ==================================================== Please send the above or the actual file /opt/platform/admin/home/media/cert_sign_req.csr to a CA to be signed platform@host:~$ ls -la media/cert_sign_req.csr -rw-rw-rw- 1 root platform 1789 Jan 18 11:20 media/cert_sign_req.csr #. Use **scp** on a remote workstation to copy the file off the VOSS Automate platform ``media/`` directory and send it to a Certificate Authority (CA). Request a PEM format file to be returned. The returned file received from the CA should be a PEM certificate file. PEM certificates typically have extensions like ``.pem``, ``.crt``, ``.cer`` and ``.key``. * If you did not receive a combined certificate from the CA, concatenate the reply signed cert and the reply intermediate CA cert into a file. The signed certificate must be first in the concatenated file. The PEM must have the correct form of line termination: a single "Line Feed" character. If your PEM file was saved on MS Windows, be sure to remove the ^M characters from the file, for example in a Linux console with: :: $ tr -d '\r' < original.pem > fixed.pem * If the received file is a ``.p7b`` file, it should be converted to a PEM format - refer to the topic: :ref:`convert_web_certificates_from_P7B_to_PEM_Format`. * If the received file is in another format, carry out the required conversion. For example, when a received ``.crt`` file is opened and is not in the correct format in MS Windows, it may show a message on MS Windows Certificate panel: "Windows does not have enough information to verify the certificate". Choose the Details tab of the panel, select Copy to File... to open the Export Wizard. Choose Base-64 encoded as export format. #. Upload the PEM file to the proxy using **sftp** or **scp**. The file will be added to the ``media/`` directory, for example: ``media/cert.pem``. #. Once the file is uploaded, run **web cert add **. This command will combine the key and PEM file, and present it to nginx to use for secure (SSL) web communication. For example: :: platform@host:~$ web cert add media/cert.pem Updating the certificate requires the web server to be restarted. Do you wish to continue? yes Restarting nginx platform@host:~$ .. |VOSS Automate| replace:: VOSS Automate .. |Unified CM| replace:: Unified CM